Endpoint Security,
Internet of Things Security
Variant of Mirai Botnet Exploits DVR Command Injection Vulnerability, Impacting 50,000 Devices
A newly identified variant of the Mirai botnet is making headlines as it exploits a command injection vulnerability in internet-connected digital video recorders (DVRs) used for CCTV surveillance. This vulnerability enables attackers to seize control of the devices and integrate them into a botnet.
See Also: Gartner Report | Magic Quadrant for SD-WAN
Researchers from Kaspersky, a cybersecurity firm based in Russia, have discovered a critical exploit associated with CVE-2024-3721. During an analysis of logs from a Linux honeypot system, they confirmed that this flaw is being leveraged by a variant of the Mirai botnet, specifically targeting DVR devices manufactured by TBK.
Security researcher “netsecfish” initially identified the vulnerability in April 2024, demonstrating that a crafted POST request to a specific endpoint could initiate shell command execution by altering parameters such as mdb and mdc. Kaspersky confirmed that this method is actively in use, noting that their honeypots captured real-time exploitation attempts that align with the techniques outlined by netsecfish.
Nearly a decade ago, the source code of the original Mirai botnet surfaced online, serving as a foundational framework for numerous evolving botnet campaigns. This new variant targeting DVR systems builds upon that framework, incorporating advanced capabilities such as RC4-based string obfuscation and checks designed to evade virtual machines and anti-emulation techniques.
The exploit enables attackers to upload a malicious ARM32 binary to the targeted device, which subsequently connects to a command-and-control server, integrating into the botnet. Once compromised, these DVRs can be utilized for distributed denial-of-service (DDoS) attacks, relaying malicious traffic, and other illicit activities.
This particular variant of Mirai employs a basic RC4 algorithm for decrypting its internal strings, with the decryption key obfuscated via XOR. After decryption, the strings are stored in a global list for future use. Furthermore, to prevent further analysis, the malware performs checks for virtualized and emulated environments, inspecting active processes for indicators of platforms like VMware or QEMU.
Last year, netsecfish reported approximately 114,000 DVR devices vulnerable to CVE-2024-3721, while Kaspersky estimates that the number is around 50,000. The majority of infections associated with this Mirai variant have been noted in countries such as China, India, Egypt, Ukraine, Russia, Turkey, and Brazil.
In terms of tactics, the Mirai botnet’s recent activities likely involve initial access through the vulnerability, combined with persistence measures to maintain control over the compromised systems. The relevance of the MITRE ATT&CK framework is evident here, especially in terms of exploitation of public-facing applications and subsequently establishing command and control to facilitate further exploitation.
