Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Dark Mirai Botnet Targeting RCE on Popular TP-Link Router

Dark Mirai Botnet Targeting RCE on Popular TP-Link Router

The botnet known as Dark Mirai (aka MANGA) has been observed exploiting a new vulnerability on the TP-Link TL-WR840N EU V5, a popular inexpensive home router released in 2017.

The flaw is tracked as CVE-2021-41653 and is caused by a vulnerable ‘host’ variable that an authenticated user can abuse to execute commands on the device.

TP-Link fixed the flaw by releasing a firmware update (TL-WR840N(EU)_V5_211109) on November 12, 2021. However, many users have not applied the security update yet.

The researcher who discovered the vulnerability published a proof of concept (PoC) exploit for the RCE, leading to threat actors using the vulnerability.

According to a report by researchers at Fortinet, who have been following Dark Mirai activity, the botnet added the particular RCE in its arsenal only two weeks after TP-Link released the firmware update.

Also Read: Compliance With Singapore Privacy Obligations; Made Easier!

Exploitation process

In the case of Dark Mirai, the actors exploit CVE-2021-41653 to force the devices to download and execute a malicious script, “,” which in turn downloads the main binary payloads via two requests.

The actors still need to authenticate for this exploit to work, but if the user has left the device with default credentials, it becomes trivial to exploit the vulnerability.

Similar to standard Mirai, MANGA detects the infected machine’s architecture and fetches the matching payload.

Downloading main payloads and blocking connections
Downloading main payloads and blocking connections.
Source: Fortinet

Then, it blocks connections to commonly targeted ports to prevent other botnets from taking over the captured device.

Finally, the malware waits for a command from the C&C (command and control) server to perform some form of a DoS (denial of service) attack.

The various DoS functions of Dark Mirai
The various DoS functions of Dark Mirai
Source: Fortinet

Mirai code still plaguing IoTs

Mirai may be gone, but its code has spawned numerous new botnets that cause large-scale problems to unsecured devices.

Only yesterday, we reported on the emergence of ‘Moobot’ by exploiting a command injection flaw in Hikvision products.

In August 2021, another Mirai-based botnet targeted a critical vulnerability in the software SDK used by a large number of Realtek-based devices.

Also Read: Got A Notice of Data Breach? Don’t Panic!

To secure your router against old and new variants of Mirai or any other botnet, do the following:

  • Apply the available firmware and security updates as soon as possible
  • Change the default administrator credentials with a strong password of 20 or more characters
  • Check your DNS settings regularly
  • Activate firewalls that are oftentimes disabled by default on home routers
  • Change your subnet address and enforce SSL on the management page
  • Disable all remote management features.
  • Disable UPnP and WPS if you’re not using them
  • If your router is outdated and no longer supported by the vendor, replace it with a new one



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us