U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

New Mirai botnet targets TBK DVRs by exploiting CVE-2024-3721

A new variant of the Mirai botnet exploits CVE-2024-3721 to target DVR systems, using a new infection method. Researchers from Russian cybersecurity firm Kaspersky discovered a new variant of the Mirai botnet that exploits a command injection vulnerability (CVE-2024-3721) in TBK DVR-4104 and DVR-4216 digital video recording devices. During a review of the logs in […]

Mirai botnet

A new variant of the Mirai botnet exploits CVE-2024-3721 to target DVR systems, using a new infection method.

Researchers from Russian cybersecurity firm Kaspersky discovered a new variant of the Mirai botnet that exploits a command injection vulnerability (CVE-2024-3721) in TBK DVR-4104 and DVR-4216 digital video recording devices.

During a review of the logs in their Linux honeypot system, the researchers noticed a suspect POST request linked to the potential exploitation of CVE-2024-3721.

“The request contains a malicious command that is a single-line shell script which downloads and executes an ARM32 binary on the compromised machine.” reads the analysis.

“Typically, bot infections involve shell scripts that initially survey the target machine to determine its architecture and select the corresponding binary. However, in this case, since the attack is specifically targeted at devices that only support ARM32 binaries, the reconnaissance stage is unnecessary.”

The Mirai botnet’s source code, made public nearly a decade ago, has since been widely reused and modified by cybercriminals to power large-scale botnets. The latest DVR-focused variant is also built on Mirai’s foundation but introduces new features like RC4 string encryption, anti-virtual machine checks, and anti-emulation tactics. While Mirai itself is well-known, this version brings fresh techniques worth examining.

This Mirai variant uses a simple RC4 algorithm to decrypt strings and uses XOR to obfuscate the key. Once decrypted, strings are stored in a global list for use during execution. The malware also includes anti-VM and anti-emulation checks by scanning running processes for signs of VMware or QEMU.

Mirai botnet

The malware also verifies its execution path against a list of allowed directories to avoid detection. If all checks pass, it proceeds to prepare the infected device to receive commands.

Most infections are in China, India, Egypt, Ukraine, Russia, Turkey, and Brazil. While the exact number of infected devices is unclear, Kaspersky found over 50,000 exposed DVRs, which are potential targets.

“Exploiting known security flaws in IoT devices and servers that haven’t been patched, along with the widespread use of malware targeting Linux-based systems, leads to a significant number of bots constantly searching the internet for devices to infect.” concludes the report. “Most of these bots don’t stay active after the device restarts because some device firmware doesn’t allow changes to the file system. To protect against infections like these, we recommend updating vulnerable devices as soon as security patches become available. Another thing to consider is a factory reset if your device is indeed vulnerable and exposed.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, botnet)