The Corona botnet (a variation of Mirai) is spreading via a five-year-old zero-day RCE vulnerability in AVTECH IP cameras. These devices are no longer in production, so don't expect any patches.
The vulnerability was discovered by Akamai and assigned the identifier CVE-2024-7029 (8.7 points on the CVSS scale). The bug is related to the Brightness function and allows unauthenticated attackers to perform command injections using specially crafted requests.
The issue affects all AVTECH AVM1203 IP cameras running firmware versions up to Fullmg-1023-1007-1011-1009. Since support for these cameras has already been discontinued and their service life expired in 2019, there are no patches for CVE-2024-7029 and there are no plans to release them.
Experts from the US Cybersecurity and Infrastructure Security Agency (CISA) warn that the vulnerability CVE-2024-7029 has already been taken up by hackers and there are publicly available exploits for it. According to experts, vulnerable cameras are still used in commercial facilities, financial institutions, as well as in healthcare and transport systems.
While PoC exploits for this issue have existed since at least 2019, the vulnerability was only assigned a CVE identifier this month and has not seen any active attacks on it before.
PoC exploit for CVE-2024-7029
According to Akamai researchers, Corona is a Mirai-based malware that has been around since at least 2020 and exploits various vulnerabilities in IoT devices to spread. Starting on March 18, 2024, Corona exploits the CVE-2024-7029 issue in its attacks, hacking vulnerable AVM1203 IP cameras.
The Corona attacks were detected by Akamai honeypots. The hackers used CVE-2024-7029 to download and execute a JavaScript file, which in turn downloaded the main botnet payload to the victim's device.
Once the malware has penetrated the device, it connects to its control servers and waits for further instructions to carry out DDoS attacks.
According to the researchers, Corona also exploits other vulnerabilities in IoT devices, including:
Owners of vulnerable AVTECH AVM1203 cameras are strongly advised to disable them as soon as possible and replace them with newer and supported devices.
Source
The vulnerability was discovered by Akamai and assigned the identifier CVE-2024-7029 (8.7 points on the CVSS scale). The bug is related to the Brightness function and allows unauthenticated attackers to perform command injections using specially crafted requests.
The issue affects all AVTECH AVM1203 IP cameras running firmware versions up to Fullmg-1023-1007-1011-1009. Since support for these cameras has already been discontinued and their service life expired in 2019, there are no patches for CVE-2024-7029 and there are no plans to release them.
Experts from the US Cybersecurity and Infrastructure Security Agency (CISA) warn that the vulnerability CVE-2024-7029 has already been taken up by hackers and there are publicly available exploits for it. According to experts, vulnerable cameras are still used in commercial facilities, financial institutions, as well as in healthcare and transport systems.
While PoC exploits for this issue have existed since at least 2019, the vulnerability was only assigned a CVE identifier this month and has not seen any active attacks on it before.
PoC exploit for CVE-2024-7029
According to Akamai researchers, Corona is a Mirai-based malware that has been around since at least 2020 and exploits various vulnerabilities in IoT devices to spread. Starting on March 18, 2024, Corona exploits the CVE-2024-7029 issue in its attacks, hacking vulnerable AVM1203 IP cameras.
The Corona attacks were detected by Akamai honeypots. The hackers used CVE-2024-7029 to download and execute a JavaScript file, which in turn downloaded the main botnet payload to the victim's device.
Once the malware has penetrated the device, it connects to its control servers and waits for further instructions to carry out DDoS attacks.
According to the researchers, Corona also exploits other vulnerabilities in IoT devices, including:
- CVE-2017-17215 is a vulnerability in Huawei routers that allows remote attackers to execute arbitrary commands on affected devices due to incorrect validation in the UPnP service.
- CVE-2014-8361 is an RCE vulnerability in the Realtek SDK, which is commonly found in routers. It can be exploited via the HTTP service running on the devices.
- Hadoop YARN RCE is a vulnerability in the Hadoop YARN (Yet Another Resource Negotiator) resource management system that can be used to remotely execute code in Hadoop clusters.
Owners of vulnerable AVTECH AVM1203 cameras are strongly advised to disable them as soon as possible and replace them with newer and supported devices.
Source
