A new large-scale botnet called RondoDox is targeting 56 vulnerabilities in more than 30 distinct devices, including flaws first disclosed during Pwn2Own hacking competitions.
The attacker focuses on a wide range of exposed devices, including DVRs, NVRs, CCTV systems, and web servers and have been active since June.
The RondoDox botnet leverages what Trend Micro researchers call an “exploit shotgun” strategy, where numerous exploits are used simultaneously to maximize the infections, even if the activity is very noisy.
Since FortiGuard Labs discovered RondoDox, the botnet appears to have expanded the list of exploited vulnerabilities, which included CVE-2024-3721 and CVE-2024-12856.
Mass n-day exploitation
In a report today, Trend Micro says that RondoDox exploits CVE-2023-1389, a flaw in the TP-Link Archer AX21 Wi-Fi router that was originally demonstrated at Pwn2Own Toronto 2022.
Pwn2Own is a hacking competition organized twice a year by Trend Micro's Zero Day Initiative (ZDI), where white-hat teams demonstrate exploits for zero-day vulnerabilities in widely used products.
RondoDox TP-Link flaw exploitation timeline
Source: Trend Micro
The security researchers note that the botnet developer pay close attention to exploits demonstrated during Pwn2Own events, and move quickly to weaponize them, as Mirai did with CVE-2023-1389 in 2023.
... continue reading