A major new large-scale botnet named RondoDox is currently leveraging an aggressive "exploit shotgun" strategy to target 56 vulnerabilities across more than 30 distinct device types. The attackers have been active since June and are focusing on a wide range of exposed devices, including DVRs, NVRs, CCTV systems, and web servers.
Weaponizing Hacking Competition Flaws
A key tactic of RondoDox is weaponizing vulnerabilities first disclosed during prestigious hacking competitions like Pwn2Own. Trend Micro researchers noted that the botnet quickly incorporates these exploits, demonstrating that its developers pay close attention to publicly demonstrated zero-day flaws.
For instance, RondoDox exploits CVE-2023-1389, a flaw in the TP-Link Archer AX21 Wi-Fi router that was originally demonstrated at Pwn2Own Toronto 2022. This mirrors a trend where botnets, such as Mirai, rapidly adopt and exploit newly publicized vulnerabilities.
Broad Target Scope
The botnet's arsenal includes dozens of post-2023 "n-day" flaws affecting numerous vendors, including:
- Networking Gear: TP-Link, QNAP, D-Link, Netgear, and TOTOLINK routers and NAS devices.
- Surveillance Systems: Digiever, TVT, and LILIN DVRs.
- Other IoT: TRENDnet, LB-LINK, and Edimax devices.
The threat posed by RondoDox is amplified because it targets both old, unpatched end-of-life equipment and newer devices whose users often ignore firmware updates. Furthermore, Trend Micro discovered that the botnet includes exploits for 18 command injection flaws that have not even been assigned official vulnerability IDs (CVEs).
To protect against RondoDox and similar botnets, users are strongly urged to apply the latest available firmware updates, replace any end-of-life equipment, and practice network segmentation to isolate critical data from internet-facing IoT devices.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
