Image by Misha Feshchak, from Unsplash
Over 6,000 Routers Still Vulnerable As Ballista Botnet Expands
- Written by Kiara Fabbri Former Tech News Writer
- Fact-Checked by Sarah Frazier Former Content Manager
A newly discovered botnet called Ballista is actively targeting TP-Link Archer routers, exploiting a known security flaw to spread across the internet, according to cybersecurity researchers at Cato Networks .
In a Rush? Here are the Quick Facts!
- Over 6,000 vulnerable routers remain online despite CISA’s patching advisory.
- Ballista has targeted organizations in the U.S., Australia, China, and Mexico.
- Researchers suspect the botnet may enable data theft and is evolving on GitHub.
The botnet takes advantage of a firmware vulnerability, tracked as CVE-2023-1389, which allows attackers to gain remote access to unpatched TP-Link routers.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has already flagged the flaw, urging agencies to patch their devices. Despite this, more than 6,000 vulnerable routers remain online, according to a search on cybersecurity platform Censys.
Cato Networks first detected the Ballista campaign on January 10, noting several infiltration attempts, with the latest recorded on February 17.
The botnet’s malware lets attackers execute commands on compromised devices, raising concerns that its creator—who is believed to be based in Italy—may have larger goals beyond typical botnet operations.
“We suspect we caught this campaign in its early stages,” said Matan Mittelman, threat prevention team leader at Cato Networks, as reported by The Record . “We saw it evolving, as within a short timeframe, the threat actor changed the initial dropper to allow stealthier connections to the C2 server through the Tor network,” he added.
Ballista has already targeted organizations in manufacturing, healthcare, technology, and services across the U.S., Australia, China, and Mexico. The malware completely takes over infected routers, reads their configuration files, and then spreads to other devices.
Cato’s security team also found evidence that the botnet may be capable of data theft. While the original IP address linked to the hacker is no longer active, researchers discovered an updated version of the malware on GitHub, indicating that the attack campaign is evolving.
Cato researchers noted that the campaign appears to be growing more sophisticated. While the malware shares some traits with other botnets, it remains distinct from well-known ones like Mirai and Mozi.
The persistent targeting of internet routers by hackers is nothing new. Experts say IoT devices like routers are prime targets due to weak passwords, poor maintenance, and a lack of automatic security updates.
Mittelman explained that over the years, major IoT botnets such as Mirai and Mozi have demonstrated how easily routers can be exploited, and threat actors have taken advantage of this.
He highlighted two key factors that have contributed to the issue: users often neglect to update the firmware on their routers, and router vendors generally fail to prioritize security.
TP-Link routers have been a recurring security concern. The Wall Street Journal recently reported that U.S. agencies are considering banning them due to repeated exploitation by Chinese hackers.
Image by Azamat E, from Unsplash
North Korean Spyware KoSpy Targets Android Users Via Fake Apps
- Written by Kiara Fabbri Former Tech News Writer
- Fact-Checked by Sarah Frazier Former Content Manager
Researchers from cybersecurity firm Lookout have uncovered a new Android spyware, KoSpy, attributed to the North Korean hacking group APT37, also known as ScarCruft.
In a Rush? Here are the Quick Facts!
- The malware steals SMS, call logs, location, audio, files, and screenshots.
- KoSpy apps were on Google Play but have been removed by Google.
- The spyware communicates via Firebase and a two-stage Command and Control system.
The malware, first spotted in March 2022, remains active and has been embedded in fake utility apps like “File Manager,” “Software Update Utility,” and “Kakao Security.” These apps, previously available on Google Play and third-party stores such as Apkpure, were designed to target Korean and English-speaking users.
KoSpy collects a wide range of sensitive information, including text messages, call logs, location data, files, audio recordings, and screenshots.
The spyware operates using a two-stage command-and-control (C2) system, first retrieving configurations from a Firebase cloud database before establishing communication with remote servers. This setup allows the attackers to change servers or disable the malware as needed.
Google has removed all known malicious apps from its Play Store. A spokesperson stated, “Google Play Protect automatically protects Android users from known versions of this malware on devices with Google Play Services, even when apps come from sources outside of Play,” as reported by The Record .
KoSpy also shares infrastructure with another North Korean state-backed hacking group, APT43, known for spearphishing campaigns that deploy malware to steal sensitive data. This overlap in infrastructure makes precise attribution difficult, but Lookout researchers link KoSpy to APT37 with medium confidence.
ScarCruft has been conducting cyber-espionage operations since 2012, primarily targeting South Korea but also extending its reach to Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and the Middle East. The group has been linked to attacks on media organizations and high-profile academics, as well as a malware operation in Southeast Asia.
Although KoSpy is no longer available on the Google Play Store, researchers warn that users should remain cautious of suspicious apps, especially those requesting excessive permissions. Keeping devices updated and relying on official app stores with security protections like Google Play Protect can help mitigate risks.
