New Mirai Variant Exploits Zero-Day in AVTECH Cameras: CVE-2024-7029
Akamai Security Intelligence and Response Team (SIRT) released a detailed report on a new botnet campaign that exploits a previously undisclosed zero-day vulnerability in AVTECH CCTV cameras. The vulnerability, CVE-2024-7029, enables remote code execution (RCE).
Introduction
On August 28, 2024, the Akamai Security Intelligence and Response Team (SIRT) released a detailed report on a new botnet campaign that exploits a previously undisclosed zero-day vulnerability in AVTECH CCTV cameras. The vulnerability, CVE-2024-7029, enables remote code execution (RCE). It has been actively exploited to spread a new variant of the notorious Mirai botnet, referencing the COVID-19 virus in its string names.
Report Overview
CVE-2024-7029 is a command injection vulnerability discovered by Aline Eliovich of Akamai SIRT. This flaw resides in the brightness function of AVTECH IP camera devices. The exploit allows attackers to execute arbitrary commands remotely with elevated privileges, turning the affected cameras into nodes of a rapidly spreading botnet. The vulnerability is particularly concerning because it affects older AVTECH models that remain in use despite being discontinued, making them prime targets for malicious actors.
The attack leverages the "brightness" argument in the "action=" parameter within the file /cgi-bin/supervisor/Factory.cgi. Once the command is injected, the Mirai variant—dubbed "Corona Mirai"—spreads across the network, exploiting multiple known vulnerabilities, including CVE-2014-8361 and CVE-2017-17215. The botnet connects to many hosts via Telnet on ports 23, 2323, and 37215. It also prints the " Corona " string on infected devices' consoles, referencing the ongoing pandemic.
The consequences of this botnet campaign are severe, particularly for organizations relying on AVTECH IP cameras for critical infrastructure. The malware can cause widespread network disruptions and give attackers unauthorized access to sensitive systems. Given the global distribution of these cameras, the impact is far-reaching, affecting sectors from transportation to industrial control systems.
Insights and Analysis
Larry Cashdollar, a senior researcher at Akamai, noted the growing trend of attackers exploiting older vulnerabilities, stating, "This campaign highlights the importance of patching even seemingly low-priority vulnerabilities. The use of outdated firmware makes these devices easy prey for botnets like Corona Mirai."
Organizations using AVTECH cameras should urgently review their patch management processes. For devices affected by CVE-2024-7029, it is crucial to apply any available updates or consider decommissioning vulnerable hardware if patching is not possible. Continuous monitoring for indicators of compromise (IOCs) and restricting unnecessary network access can also mitigate the risk.
The discovery of CVE-2024-7029 and the associated Corona Mirai botnet's ongoing operation highlight the risks posed by unpatched vulnerabilities in older hardware. By staying vigilant and proactive in their cybersecurity practices, organizations can protect themselves against these evolving threats.
Indicators of Compromise (IOCs)
| Indicator | Type | Description |
|---|---|---|
| 93.123.39[.]72 | IPv4 Address | IP address associated with the Corona Mirai botnet. |
| 93.123.39[.]87 | IPv4 Address | IP address involved in the botnet's network communication. |
| 93.123.39[.]111 | IPv4 Address | IP address linked to command and control operations. |
| 147.78.103[.]177 | IPv4 Address | Command and control server for the botnet. |
| 185.216.70[.]37 | IPv4 Address | IP address used by the botnet for propagation. |
| 94.156.8[.]185 | IPv4 Address | IP address involved in the botnet's malicious activities. |
| 93.123.39[.]173 | IPv4 Address | IP address linked to botnet communication. |
| 74.50.81[.]158 | IPv4 Address | IP address used for botnet control operations. |
| 94.156.71[.]74 | IPv4 Address | IP address involved in the botnet's network activities. |
| 93.123.85[.]213 | IPv4 Address | Command and control server for the botnet. |
| 185.216.70[.]142 | IPv4 Address | IP address linked to botnet operations. |
| 45.66.231[.]148 | IPv4 Address | IP address used for botnet propagation and control. |
| 185.216.70[.]79 | IPv4 Address | IP address involved in the botnet's communication channels. |
| 15a1d52c529d314bb2b5fa8b8bd6c6a496609a283dd0e78e | SHA256 Hash | Hash of a malicious binary associated with the botnet ("r"). |
| c0ae1eb249705f61d45ca747c91c02a411557a28792f4064c1d647abb580bc10 | SHA256 Hash | Hash of a malicious binary associated with the botnet ("x86"). |
| b0f7ef937d77061515907c54967a44da3701e0d2af143164 | SHA256 Hash | Hash of a malicious binary associated with the botnet ("sh"). |
| e82192fbe00bc7205abe786155bbfc0548f5c6ee9819a581e965526674f3cc57 | SHA256 Hash | Hash of a malicious binary associated with the botnet ("mips"). |
| 9e9e481bb448438572c2695469c85f773ddcd952025e45bee33bbfce2531c656 | SHA256 Hash | Hash of a malicious binary associated with the botnet ("r"). |
| f4bf61fc335db4f3e7d7d89b534bc1e6ead66a51938e119ea340fe95039935e3 | SHA256 Hash | Hash of a malicious binary associated with the botnet ("mips"). |
| 22553be649f76a060ebbdfd410e295b66803e9c49d23369a726be2c5a25733ab | SHA256 Hash | Hash of a malicious binary associated with the botnet ("sh"). |
| 135264de24d499877e95673b9cca737e488042813f41fef7817728a704323fe2 | SHA256 Hash | Hash of a malicious binary associated with the botnet ("r"). |
| 6ad5984bc9af7af6962a080bbb1a35bb56e8671c4b9c1d44e88da5a3f6b9aa82 | SHA256 Hash | Hash of a malicious binary associated with the botnet ("r"). |
| 947f517d3b833cc046b2ea0540aad199b7777fb03057122fb0b618828abdc212 | SHA256 Hash | Hash of a malicious binary associated with the botnet ("r"). |
| 8ac82a770cffbbc8fba73554d7caa117ef6d37ffee468665b95bc406449f91b5 | SHA256 Hash | Hash of a malicious binary associated with the botnet ("r"). |
| 5e264cb009c4d84b6180e47b9ceda3af8897b17b88fccc9c2914706d66abd1d1 | SHA256 Hash | Hash of a malicious binary associated with the botnet ("r"). |
| 372eefdc4bf9f4a4382db2762fcf9a9db559c9d4fff2ee5f5cf5362418caaa92 | SHA256 Hash | Hash of a malicious binary associated with the botnet ("r"). |
| 3995a7e7eb8eeafb0b6da2c3813e61d11993a820d478c87809136de79d8f8280 | SHA256 Hash | Hash of a malicious binary associated with the botnet ("sh"). |
| 40d8f662c187b53fd6fdeb70db9eb262b707e557d3fa4e5e4eacaeaa03ac45f2 | SHA256 Hash | Hash of a malicious binary associated with the botnet ("r"). |
| 4826b0194fbd924aa57b9c4ab1e017f0f45f547189374b0ea761d415fa4285ff | SHA256 Hash | Hash of a malicious binary associated with the botnet ("x86"). |
| 25945c4fe38ed2008f027bd1484b89867b23528c738812d317ddf57f48666b91 | SHA256 Hash | Hash of a malicious binary associated with the botnet ("r"). |
| cfcae524309a220a48327c50bf32bf5ed3aed5698855b5da9f1ae932fb2df90c | SHA256 Hash | Hash of a malicious binary associated with the botnet ("x86"). |
| 774947944ea370592a30478bb3f26081799f7d7df975a6735e620d3442e7803b | SHA256 Hash | Hash of a malicious binary associated with the botnet ("x86"). |
| 06b1f09a62204472581e6aec381f96014bb6cc3fc1a9cef38bbcfe88bd82e499 | SHA256 Hash | Hash of a malicious binary associated with the botnet ("r"). |
| 4f50d318688c80f08eb7fad6f8788cae459c3420b3b9eb566f936edd7a780ae1 | SHA256 Hash | Hash of a malicious binary associated with the botnet ("sh"). |
| c15bbfb85bfd8305fad8cc0e0d06cbe825e1e6fc6d8dbe5a8d1ac4243bd77d0c | SHA256 Hash | Hash of a malicious binary associated with the botnet ("x86"). |
| 0a566c39ecbc4107f954cb3e5e240ccaf0018dfac9b5062b4db7971fb3d9f413 | SHA256 Hash | Hash of a malicious binary associated with the botnet ("x86"). |
| 2d7351aa765bb2feed9536cc392b2013361c193e99841c5b56591d988bd4b582 | SHA256 Hash | Hash of a malicious binary associated with the botnet ("x86"). |
| 5d58f0fa54784e9c90825cba9e2052f691cdcfe85b0796a6379982832563090d | SHA256 Hash | Hash of a malicious binary associated with the botnet ("x86"). |
MITRE ATT&CK Table
| Tactic | Technique | ID | Description |
|---|---|---|---|
| Initial Access | Exploit Public-Facing Application | T1190 | Exploiting vulnerabilities in AVTECH IP cameras to gain access. |
| Execution | Command and Scripting Interpreter | T1059 | Use of command injection in AVTECH IP camera devices for remote code execution. |
| Persistence | Valid Accounts | T1078 | Persistent access through compromised Telnet credentials on infected devices. |
| Command and Control | Application Layer Protocol | T1071 | Use of Telnet for communication between infected devices and C2 servers. |
References
https://www.akamai.com/blog/security-research/2024-corona-mirai-botnet-infects-zero-day-sirt
Comments ()