End-of-life IP cams being used to spread new Mirai botnet (2024)

Infosec in brief A series of IP cameras still used all over the world, despite being well past their end of life, have been exploited to create a new Mirai botnet.

The vulnerability (CVSS 8.7, CVE-2024-7029) was reported to CISA by security researchers from Akamai, who said the campaign they discovered leveraging the remote code execution (RCE) vulnerability in AVTECH AVM1203 IP cameras they found has been active since early 2024, but the vulnerability is much older.

"The proof of concept (PoC) for CVE-2024-7029 has been publicly available since at least 2019, but it never had a proper CVE assignment until August 2024," Akamai threat researchers Aline Eliovich, Kyle Lefton and Larry Cashdollar wrote.

Support for AVTECH AVM1203 cameras ended in 2019 as well, and it doesn't appear the manufacturer plans to release a patch.

The exploit doesn't require a user to be authenticated, and allows an attacker to abuse a flaw in the camera's "brightness" argument in the "action=" parameter to inject commands with the same privileges as the owner of the device.

"Despite the model in question having been discontinued for several years … these devices are still used worldwide, including by transportation authorities and other critical infrastructure entities," Akamai notes.

Several other old and established vulnerabilities are being used to spread the Mirai variant, which Akamai said appears to be the same COVID-19-themed version that's been floating around since 2020.

With that in mind, the other vulnerabilities being abused to spread the botnet include a Hadoop YARN RCE, a 10-year old CVSS 9.8 vulnerability in Realtek SDK (CVE-2014-8361) and a well-documented flaw in Huawei HG532 routers (CVE-2017-17215).

With those other vulnerabilities also present in aged software and hardware, consider this entire story a reminder to not leave out-of-service devices and outdated software on your networks.

Critical vulnerabilities of the week

This week, we bring to you two rather serious CVEs that have been spotted under active exploitation - one in Apache OFBiz, and the other in Google Chrome V8.

In the first case, we have CVE-2024-38856 found in Apache's open source ERP platform. With a CVSS score of 9.8, this issue in all versions of OFBiz through 18.12.14 can lead to unauthenticated endpoints improperly allowing execution of screen rendering code due to an incorrect authentication vulnerability.

In the latter case, the V8 JavaScript engine in Chrome versions prior to 128.0.6613.84 allowed a remote attacker to potentially exploit heap corruption using a malicious HTML page. The vulnerability is tracked as CVE-2024-7965, with a CVSS score of 8.8.

Add another half million to those MOVEit numbers

It's been a while since we've had to mention a new MOVEit victim coming forward - yet here we are.

The Texas Dow Employees Credit Union filed a data breach notification in Maine last week indicating that data belonging to 500,474 customers had been exposed when MOVEit was compromised back in May 2023.

TDECU said it took immediate action to mitigate the issue when it was notified - only it didn't appear to have discovered the matter until the end of July 2024.

There was no compromise to TDECU's internal systems, as has been the case with other victims of the MOVEit breach, but that doesn't change the fact some valuable data was stolen, including names, birthdates, social security numbers, government ID numbers, bank account info and other sensitive PII.

With nearly 80 million people impacted by the MOVEit breach, and apparently more victims still to come forward, it's entirely unclear what the ultimate count might be.

US Secret Service offers $2.5M bounty for Belarusian hacker

Weeks after arresting a notorious Belarusian-Ukrainian hacker, the US government is putting out a hefty reward for information leading to the apprehension of one of his close associates.

The US Secret Service placed a reward of up to $2.5 million on Volodymyr Kadariya, one of two associates of the recently-arrested Maksim Silnikau who have been charged alongside him.

In Kadariya's case, he's been charged - like Silnikau - with allegedly operating a decade-long malvertising ring that was used to transmit the notorious Angler Exploit Kit, as well as crimes like wire fraud and conspiracy to commit wire fraud.

While Silnikau may have been nabbed, neither Kadariya or the pair's other alleged coconspirator, Russian national Andrei Tarasov, have been apprehended. If they're ever caught, they may face decades in prison - the same thing Silnikau is facing on his own right now.

Backpage owners sentenced

Backpage, the notorious website that was a haven for underage sex trafficking in the United States before it was shut down in 2018, has just had three more of its leaders sentenced to prison.

Michael Lacey, Scott Spear and John "Jed" Brunst, identified by the Department of Justice as the owners of the site, were each sentenced to three years of supervised release after a decade in prison, with Lacey only getting five years behind bars, according to DOJ.

Backpage CEO Carl Ferrer pled guilty to facilitating prostitution and engaging in money laundering shortly after the site was seized; the site's sales and marketing director Dan Hyer also pled guilty to similar charges. James Larkin, another individual charged in the case, died before the start of the trial, DOJ notes.

Backpage made more than $500 million in its eight years of operation as an illegal prostitution and human trafficking-friendly site.

CISA launches incident reporting portal

In a bid to streamline the often onerous cyber incident reporting process, CISA has launched a new Services Portal website where organizations can report incidents, share reports with third parties and chat with CISA officials.

Along with logging in with a login.gov account, reports can also be submitted anonymously via the same site.

"Any organization experiencing a cyber attack or incident should report it – for its own benefit, and to help the broader community," said CISA Executive Assistant Director for Cybersecurity Jeff Greene. "CISA and our government partners have unique resources and tools to aid with response and recovery, but we can't help if we don't know about an incident."

The portal's availability comes with a little over a year until CISA is set to issue mandatory reporting rules specified under the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) signed into law in 2022.

Once the rule goes into effect - President Biden gave CISA an October 2025 deadline to finalize - substantial cybersecurity incidents at critical infrastructure organizations will have to be reported to CISA within 72 hours.

Consider this your opportunity to get some practice in.®

End-of-life IP cams being used to spread new Mirai botnet (2024)

FAQs

End-of-life IP cams being used to spread new Mirai botnet? ›

Corona Botnet Exploits Zero-Day Flaw in EoL AVTECH Cameras

Is Mirai botnet still active? ›

Not long after its source code was released into the wild in October 2016, Mirai ceased to be a direct threat. While this malware is no longer active, variants and mutations that build on its source code continue to pop up and be used in attacks by various threat actors around the world.

What are the variants of Mirai botnet? ›

Though its original creators have been caught, their source code lives on. It has given birth to variants such as the Okiru, the Satori, the Masuta and the PureMasuta.

Is Mirai still a threat? ›

While relatively unchanged, the notorious IoT botnet still continues to drive DDoS. The Mirai botnet continues to break records for driving the biggest and most disruptive distributed denial of service (DDoS) attacks ever seen, researchers say.

How do you remove Mirai botnet? ›

How was the Mirai botnet stopped? According to TechTarget, the FBI uncovered the identities of the Mirai creators through the metadata around their anonymous accounts after an extensive investigation. Not only did the trio plead guilty to various computer crimes, but they agreed to help make amends.

What port does Mirai use? ›

Victim IoT devices are identified by “first entering a rapid scanning phase where it asynchronously and “statelessly” sent TCP SYN probes to pseudo-random IPv4 addresses, excluding those in a hard-coded IP blacklist, on telnet TCP ports 23 and 2323”.

How many devices did Mirai infect? ›

Paras called the new code Mirai, after the anime series Mirai Nikki. When Mirai was released, it spread like wildfire. In its first 20 hours, it infected 65,000 devices, doubling in size every 76 minutes.

What vulnerability did the Mirai botnet exploit? ›

InfectedSlurs, a Mirai botnet malware, has been exploiting two zero-day remote code execution (RCE) vulnerabilities. The malware targets routers and video recorders (NVR) devices, aiming to make them a part of its distributed denial of service (DDoS) swarm.

Is Zeus botnet still active? ›

Even today, the Zeus trojan and its variants are a major cybersecurity threat, and many computers that run Microsoft Windows are still at risk. As some variants of the Zeus virus are fileless malware, it can also be difficult for antivirus software to detect.

Do botnets still exist? ›

Online bot activity remains a prevalent concern among network security professionals. By themselves, it's difficult for individual bots to do large-scale damage against a given target.

How many devices are being used in the Mirai botnet? ›

Damaging DDoS Attacks

Mirai's attack peaked at an unprecedented 1Tbps and is estimated to have used about 145,000 devices within the assault. This attack set the scale for how massive the botnet had become, with the second largest attack peaking around 400 Gbps.

What was the worst botnet? ›

The Largest Botnet attacks: A Brief History

Mirai (2016): This botnet, primarily composed of compromised IoT devices, launched massive DDoS attacks that disrupted major internet services like Dyn, Twitter, and Netflix. It reached an unprecedented scale, showcasing the vulnerability of unsecured IoT devices.

Top Articles
Latest Posts
Recommended Articles
Article information

Author: Nathanial Hackett

Last Updated:

Views: 6380

Rating: 4.1 / 5 (72 voted)

Reviews: 87% of readers found this page helpful

Author information

Name: Nathanial Hackett

Birthday: 1997-10-09

Address: Apt. 935 264 Abshire Canyon, South Nerissachester, NM 01800

Phone: +9752624861224

Job: Forward Technology Assistant

Hobby: Listening to music, Shopping, Vacation, Baton twirling, Flower arranging, Blacksmithing, Do it yourself

Introduction: My name is Nathanial Hackett, I am a lovely, curious, smiling, lively, thoughtful, courageous, lively person who loves writing and wants to share my knowledge and understanding with you.