Corona Mirai Botnet Exploiting RCE Zero-Day To Hire New Bots


A botnet is exploiting a new zero-day vulnerability, CVE-2024-7029, in AVTECH CCTV cameras to spread a Mirai variant, which is a command injection vulnerability in the brightness function that allows for remote code execution. 

It leverages this vulnerability to gain control of the cameras and propagate itself further, using a variant of the Mirai malware that references COVID-19, which has been observed since 2020.

EHA

A critical zero-day vulnerability, CVE-2024-7029, was discovered in AVTECH IP cameras, which allows attackers to execute remote commands with elevated privileges, enabling them to spread a Mirai botnet variant. 

The botnet campaign also targets other vulnerabilities, including older, unpatched ones like CVE-2014-8361 and CVE-2017-17215, which highlights a concerning trend of attackers exploiting vulnerabilities that have been overlooked or deemed low priority.

CVE-2024-7029 is a critical security flaw affecting AVTECH IP cameras that lies in the device’s handling of the “brightness” parameter within the “action=” command.

Free Webinar on Detecting & Blocking Supply Chain Attack -> Book your Spot

Malicious actors can exploit this by injecting arbitrary commands into the device’s system, potentially gaining unauthorized access and control. 

The vulnerability was actively exploited in the wild, with attackers spreading a modified Mirai botnet variant to compromised devices.

The botnet’s name, referencing COVID-19, highlights the ongoing threat posed by such vulnerabilities.

PoC of the exploit

The CVE-2024-7029 vulnerability in AVTECH IP camera devices has been exploited since at least December 2023, with the first active campaign observed in March 2024. 

Although the proof of concept for this vulnerability has been publicly available since 2019, it wasn’t assigned a CVE until August 2024.

Despite being discontinued years ago, these devices are still widely used in critical infrastructure, making them a significant target for attackers. 

The vulnerability resides in the brightness function of the /cgi-bin/supervisor/Factory.cgi file, which processes user-supplied input without proper validation, leading to a code injection vulnerability. 

Strings from the JavaScript downloader

Exploiters can craft malicious input that contains arbitrary code, which is then executed by the server, which results in unauthorized access, data exfiltration, or other malicious actions.

It was initially identified by analyzing honeypot logs, where the decoded payload provides evidence of the exploit attempt.

Attackers exploited a vulnerability to execute remote code and download a JavaScript file, which fetched and loaded the main malware payload, a variant of Mirai malware that turns the infected device into a bot. 

 Execution of malware showing output to console

The malware then connected to other bots and performed malicious actions, possibly including exploiting other network vulnerabilities and attempting to exploit a specific Huawei device vulnerability (CVE-2017-17215).  

According to Akamai, vulnerabilities without CVEs can be significant threats, as malicious actors leverage them for malware propagation, as CVE-2024-7029 is an example of this trend. 

Many unpatched vulnerabilities with public exploits or PoCs exist, making patch management challenging. When remediation is impossible, decommissioning hardware and software is recommended to mitigate risks and avoid regulatory fines.

Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14 day free trial



Source link