A new Mirai-based botnetis actively exploiting a remote code execution vulnerability that has not received a tracker number and appears to be unpatched in DigiEver DS-2105 Pro NVRs.
The campaign started in October and targets multiple network video recorders and TP-Link routers with outdated firmware.
One of the vulnerabilities used in the campaign was documented by TXOne researcher Ta-Lun Yen and presented last year at the DefCamp security conference in Bucharest, Romania. The researcher said at the time that the issue affects multiple DVR devices.
Akamai researchers observed that the botnet started to exploit the flaw in mid-November, but found evidence that the campaign has been active since at least September.
Apart from the DigiEver flaw, the new Mirai malware variant also targets CVE-2023-1389 on TP-Link devices and CVE-2018-17532 on Teltonika RUT9XX routers.
Attacks on DigiEver NVRs
The vulnerability exploited to compromise DigiEver NVRs is a remote code execution (RCE) flaw and the hackers are targeting the ‘/cgi-bin/cgi_main. cgi’ URI, which improperly validates user inputs.
This allows remote unauthenticated attackers to inject commands like ‘curl’ and ‘chmod’ via certain parameters, such as the ntp field in HTTP POST requests.
Akamai says that the attacks it has seen by this Mirai-based botnet appear similar to what is described in Ta-Lun Yen’s presentation.
Through command injection, the attackers fetch the malware binary from an external server and enlist the device into its botnet. Persistence is achieved by adding cron jobs.
Once the device is compromised, it is then used to conduct distributed denial of service (DDoS) attacks or to spread to other devices by leveraging exploit sets and credential lists.
Akamai says the new Mirai variant is notable for its use of XOR and ChaCha20 encryption and its targeting of a broad range of system architectures, including x86, ARM, and MIPS.
“Although employing complex decryption methods isn’t new, it suggests evolving tactics, techniques, and procedures among Mirai-based botnet operators,” comments Akamai.
“This is mostly notable because many Mirai-based botnets still depend on the original string obfuscation logic from recycled code that was included in the original Mirai malware source code release,” the researchers say.
The researchers note that the botnet also exploits CVE-2018-17532, a vulnerability in Teltonika RUT9XX routers as well as CVE-2023-1389, which impacts TP-Link devices.
Indicators of compromise (IoC) associated with the campaign are available at the end of Akamai’s report, along with Yara rules for detecting and blocking the threat.
