Headline
Unpatched AVTECH IP Camera Flaw Exploited by Hackers for Botnet Attacks
A years-old high-severity flaw impacting AVTECH IP cameras has been weaponized by malicious actors as a zero-day to rope them into a botnet. CVE-2024-7029 (CVSS score: 8.7), the vulnerability in question, is a “command injection vulnerability found in the brightness function of AVTECH closed-circuit television (CCTV) cameras that allows for remote code execution (RCE),” Akamai researchers Kyle
IoT Security / Vulnerability
A years-old high-severity flaw impacting AVTECH IP cameras has been weaponized by malicious actors as a zero-day to rope them into a botnet.
CVE-2024-7029 (CVSS score: 8.7), the vulnerability in question, is a “command injection vulnerability found in the brightness function of AVTECH closed-circuit television (CCTV) cameras that allows for remote code execution (RCE),” Akamai researchers Kyle Lefton, Larry Cashdollar, and Aline Eliovich said.
Details of the security shortcoming were first made public earlier this month by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), highlighting its low attack complexity and the ability to exploit it remotely.
“Successful exploitation of this vulnerability could allow an attacker to inject and execute commands as the owner of the running process,” the agency noted in an alert published August 1, 2024.
It’s worth noting that the issue remains unpatched. It impacts AVM1203 camera devices using firmware versions up to and including FullImg-1023-1007-1011-1009. The devices, although discontinued, are still used in commercial facilities, financial services, healthcare and public health, transportation systems sectors, per CISA.
Akamai said the attack campaign has been underway since March 2024, although the vulnerability has had a public proof-of-concept (PoC) exploit as far back as February 2019. However, a CVE identifier wasn’t issued until this month.
“Malicious actors who operate these botnets have been using new or under-the-radar vulnerabilities to proliferate malware,” the web infrastructure company said. “There are many vulnerabilities with public exploits or available PoCs that lack formal CVE assignment, and, in some cases, the devices remain unpatched.”
The attack chains are fairly straightforward in that they leverage the AVTECH IP camera, alongside other known vulnerabilities (CVE-2014-8361 and CVE-2017-17215), to spread a Mirai botnet variant on target systems.
“In this instance, the botnet is likely using the Corona Mirai variant, which has been referenced by other vendors as early as 2020 in relation to the COVID-19 virus,” the researchers said. “Upon execution, the malware connects to a large number of hosts through Telnet on ports 23, 2323, and 37215. It also prints the string ‘Corona’ to the console on an infected host.”
The development comes weeks after cybersecurity firms Sekoia and Team Cymru detailed a “mysterious” botnet named 7777 (or Quad7) that has leveraged compromised TP-Link and ASUS routers to stage password-spraying attacks against Microsoft 365 accounts. As many as 12,783 active bots have been identified as of August 5, 2024.
“This botnet is known in open source for deploying SOCKS5 proxies on compromised devices to relay extremely slow ‘brute-force’ attacks against Microsoft 365 accounts of many entities around the world,” Sekoia researchers said, noting that a majority of the infected routers are located in Bulgaria, Russia, the U.S., and Ukraine.
While the botnet gets its name from the fact it opens TCP port 7777 on compromised devices, a follow-up investigation from Team Cymru has since revealed a possible expansion to include a second set of bots that are composed mainly of ASUS routers and characterized by the open port 63256.
“The Quad7 botnet continues to pose a significant threat, demonstrating both resilience and adaptability, even if its potential is currently unknown or unreached,” Team Cymru said. “The linkage between the 7777 and 63256 botnets, while maintaining what appears to be a distinct operational silo, further underscores the evolving tactics of the threat operators behind Quad7.”
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Related news
Over the past year, "Matrix" has used publicly available malware tools and exploit scripts to target weakly secured IoT devices — and enterprise servers.
Aqua Nautilus researchers have discovered a campaign powering a series of large-scale DDoS attacks launched by Matrix, which…
Cybersecurity company Trend Micro has released patches and hotfixes to address a critical security flaw in Apex One and Worry-Free Business Security solutions for Windows that has been actively exploited in real-world attacks. Tracked as CVE-2023-41179 (CVSS score: 9.1), it relates to a third-party antivirus uninstaller module that's bundled along with the software. The complete list of impacted
By Deeba Ahmed HinataBot can launch Distributed Denial of Service (DDoS) attacks reaching 3.3 TBPS. This is a post from HackRead.com Read the original post: Threat Actors Using Go-based HinataBot to launch DDoS Attacks
By Deeba Ahmed HinataBot can launch Distributed Denial of Service (DDoS) attacks reaching 3.3 TBPS. This is a post from HackRead.com Read the original post: Threat Actors Using Go-based HinataBot to launch DDoS Attacks
A new Golang-based botnet dubbed HinataBot has been observed to leverage known flaws to compromise routers and servers and use them to stage distributed denial-of-service (DDoS) attacks. "The malware binaries appear to have been named by the malware author after a character from the popular anime series, Naruto, with file name structures such as 'Hinata--,'" Akamai said in a
A new Golang-based botnet dubbed HinataBot has been observed to leverage known flaws to compromise routers and servers and use them to stage distributed denial-of-service (DDoS) attacks. "The malware binaries appear to have been named by the malware author after a character from the popular anime series, Naruto, with file name structures such as 'Hinata--,'" Akamai said in a
By Deeba Ahmed Most devices infected by Chaos malware are located in Europe, particularly Italy but infections were also observed in Asia Pacific, South America, and North America. This is a post from HackRead.com Read the original post: New DDoS Malware ‘Chaos’ Hits Linux and Windows Devices
The previously identified ransomware builder has veered in an entirely new direction, targeting consumers and business of all sizes by exploiting known CVEs through brute-forced and/or stolen SSH keys.
A new, multi-functional Go-based malware dubbed Chaos has been rapidly growing in volume in recent months to ensnare a wide range of Windows, Linux, small office/home office (SOHO) routers, and enterprise servers into its botnet. "Chaos functionality includes the ability to enumerate the host environment, run remote shell commands, load additional modules, automatically propagate through
The miniigd SOAP service in Realtek SDK allows remote attackers to execute arbitrary code via a crafted NewInternalClient request, as exploited in the wild through 2023.