Infosec in brief A series of IP cameras still used all over the world, despite being well past their end of life, have been exploited to create a new Mirai botnet.
The vulnerability (CVSS 8.7, CVE-2024-7029) was reported to CISA by security researchers from Akamai, who said the campaign they discovered leveraging the remote code execution (RCE) vulnerability in AVTECH AVM1203 IP cameras they found has been active since early 2024, but the vulnerability is much older.
"The proof of concept (PoC) for CVE-2024-7029 has been publicly available since at least 2019, but it never had a proper CVE assignment until August 2024," Akamai threat researchers Aline Eliovich, Kyle Lefton and Larry Cashdollar wrote.
Support for AVTECH AVM1203 cameras ended in 2019 as well, and it doesn't appear the manufacturer plans to release a patch.
The exploit doesn't require a user to be authenticated, and allows an attacker to abuse a flaw in the camera's "brightness" argument in the "action=" parameter to inject commands with the same privileges as the owner of the device.
"Despite the model in question having been discontinued for several years … these devices are still used worldwide, including by transportation authorities and other critical infrastructure entities," Akamai notes.
Several other old and established vulnerabilities are being used to spread the Mirai variant, which Akamai said appears to be the same COVID-19-themed version that's been floating around since 2020.
With that in mind, the other vulnerabilities being abused to spread the botnet include a Hadoop YARN RCE, a 10-year old CVSS 9.8 vulnerability in Realtek SDK (CVE-2014-8361) and a well-documented flaw in Huawei HG532 routers (CVE-2017-17215).
With those other vulnerabilities also present in aged software and hardware, consider this entire story a reminder to not leave out-of-service devices and outdated software on your networks.
Critical vulnerabilities of the week
This week, we bring to you two rather serious CVEs that have been spotted under active exploitation - one in Apache OFBiz, and the other in Google Chrome V8.
In the first case, we have CVE-2024-38856 found in Apache's open source ERP platform. With a CVSS score of 9.8, this issue in all versions of OFBiz through 18.12.14 can lead to unauthenticated endpoints improperly allowing execution of screen rendering code due to an incorrect authentication vulnerability.
In the latter case, the V8 JavaScript engine in Chrome versions prior to 128.0.6613.84 allowed a remote attacker to potentially exploit heap corruption using a malicious HTML page. The vulnerability is tracked as CVE-2024-7965, with a CVSS score of 8.8.
Add another half million to those MOVEit numbers
It's been a while since we've had to mention a new MOVEit victim coming forward - yet here we are.
The Texas Dow Employees Credit Union filed a data breach notification in Maine last week indicating that data belonging to 500,474 customers had been exposed when MOVEit was compromised back in May 2023.
TDECU said it took immediate action to mitigate the issue when it was notified - only it didn't appear to have discovered the matter until the end of July 2024.
There was no compromise to TDECU's internal systems, as has been the case with other victims of the MOVEit breach, but that doesn't change the fact some valuable data was stolen, including names, birthdates, social security numbers, government ID numbers, bank account info and other sensitive PII.
With nearly 80 million people impacted by the MOVEit breach, and apparently more victims still to come forward, it's entirely unclear what the ultimate count might be.
US Secret Service offers $2.5M bounty for Belarusian hacker
Weeks after arresting a notorious Belarusian-Ukrainian hacker, the US government is putting out a hefty reward for information leading to the apprehension of one of his close associates.
The US Secret Service placed a reward of up to $2.5 million on Volodymyr Kadariya, one of two associates of the recently-arrested Maksim Silnikau who have been charged alongside him.
In Kadariya's case, he's been charged - like Silnikau - with allegedly operating a decade-long malvertising ring that was used to transmit the notorious Angler Exploit Kit, as well as crimes like wire fraud and conspiracy to commit wire fraud.
While Silnikau may have been nabbed, neither Kadariya or the pair's other alleged coconspirator, Russian national Andrei Tarasov, have been apprehended. If they're ever caught, they may face decades in prison - the same thing Silnikau is facing on his own right now.
Backpage owners sentenced
Backpage, the notorious website that was a haven for underage sex trafficking in the United States before it was shut down in 2018, has just had three more of its leaders sentenced to prison.
Michael Lacey, Scott Spear and John "Jed" Brunst, identified by the Department of Justice as the owners of the site, were each sentenced to three years of supervised release after a decade in prison, with Lacey only getting five years behind bars, according to DOJ.
Backpage CEO Carl Ferrer pled guilty to facilitating prostitution and engaging in money laundering shortly after the site was seized; the site's sales and marketing director Dan Hyer also pled guilty to similar charges. James Larkin, another individual charged in the case, died before the start of the trial, DOJ notes.
Backpage made more than $500 million in its eight years of operation as an illegal prostitution and human trafficking-friendly site.
CISA launches incident reporting portal
In a bid to streamline the often onerous cyber incident reporting process, CISA has launched a new Services Portal website where organizations can report incidents, share reports with third parties and chat with CISA officials.
Along with logging in with a login.gov account, reports can also be submitted anonymously via the same site.
"Any organization experiencing a cyber attack or incident should report it – for its own benefit, and to help the broader community," said CISA Executive Assistant Director for Cybersecurity Jeff Greene. "CISA and our government partners have unique resources and tools to aid with response and recovery, but we can't help if we don't know about an incident."
The portal's availability comes with a little over a year until CISA is set to issue mandatory reporting rules specified under the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) signed into law in 2022.
Once the rule goes into effect - President Biden gave CISA an October 2025 deadline to finalize - substantial cybersecurity incidents at critical infrastructure organizations will have to be reported to CISA within 72 hours.
Consider this your opportunity to get some practice in.®