Malicious Actors Exploit AVTECH IP Camera Vulnerability in Botnet Campaign
A significant cybersecurity threat has emerged as a long-standing high-severity vulnerability in AVTECH IP cameras has been exploited by cybercriminals. Known as CVE-2024-7029, this flaw, which has a CVSS score of 8.7, is categorized as a command injection vulnerability associated with the brightness control function of these closed-circuit television (CCTV) devices. As reported by researchers from Akamai, this vulnerability permits remote code execution (RCE), allowing attackers to commandeer affected cameras.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) made the existence of this critical vulnerability public earlier this month, detailing its low complexity and widespread remote exploitability. According to CISA’s alert, successful exploitation enables attackers to inject and run commands as if they were the legitimate owner of the process, posing severe risks to device integrity and security.
Unfortunately, there are currently no patches available for this vulnerability, which specifically affects AVM1203 camera models running firmware versions up to and including FullImg-1023-1007-1011-1009. While these devices have been discontinued, they continue to be utilized across various sectors, including commercial enterprises, healthcare, finance, and transportation, as highlighted by CISA.
Akamai’s research indicates that malicious exploitation of this vulnerability has been ongoing since March 2024; however, the vulnerability had a public proof-of-concept exploit available as early as February 2019. This discrepancy underscores a broader trend in cybersecurity, where many vulnerabilities exist with publicly available exploits but remain unassigned a CVE identifier or go unpatched.
The AVTECH camera vulnerability is not the only concern, as cybercriminals are leveraging it alongside other known vulnerabilities—such as CVE-2014-8361 and CVE-2017-17215—to deploy variants of the notorious Mirai botnet on compromised systems. Researchers mentioned that the ongoing campaign likely involves the Corona variant of Mirai, which historically linked to the COVID-19 pandemic, indicating that attackers are adapting their strategies to leverage emerging vulnerabilities.
Estimates of exposed AVTECH devices on the internet currently stand around 27,000; however, the extent of the attacks remains unclear. Akamai anticipates disclosing definitive attribution information related to these attacks in the future, emphasizing the ever-evolving landscape of cybersecurity threats.
The MITRE ATT&CK framework provides insights into the potential tactics and techniques employed in this campaign. Utilizing initial access via publicly known vulnerabilities, attackers likely achieved persistence through command injection methods. Additionally, privilege escalation tactics may have been employed, thereby allowing them to execute further attacks using the compromised devices.
As businesses become increasingly reliant on interconnected technologies, staying updated on vulnerabilities and implementing robust cybersecurity measures is essential. The AVTECH IP camera incident is a critical reminder of the need for vigilance and proactive security measures in today’s rapidly evolving threat landscape.
For business owners, it’s paramount to stay informed on the latest developments, not only regarding specific vulnerabilities but also best practices for securing their systems against such cyber adversities.
