Old CCTV cameras provide a fresh opportunity for a Mirai botnet variant
A bug in closed-circuit TV cameras is the latest example of a previously unidentified vulnerability that hackers are exploiting in internet-facing devices, adding them to botnets that can be used to disrupt websites with junk traffic.
Cybersecurity researchers at Akamai have discovered that a prolific botnet based on the infamous Mirai malware is exploiting a zero-day flaw in CCTV cameras made by the Taiwan-based company AVTECH.
The vulnerability, tracked as CVE-2024-7029, allows hackers to take control of the cameras remotely by injecting malicious code, which then spreads a Mirai variant called Corona, according to the researchers.
The flaw was found in the "brightness" setting of the cameras, researchers said. Although the camera models they analyzed are old and discontinued, they are still widely used worldwide, including in critical infrastructure like transportation.
Earlier in August, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory regarding the zero-day, citing its lack of attack complexity, remote exploitability, and known public exploitation.
CISA also noted that AVTECH did not respond to requests to work with the agency to mitigate this and other vulnerabilities in its devices.
According to Akamai, the latest Mirai botnet campaign targets multiple vulnerabilities beyond CVE-2024-7029, including several other AVTECH bugs.
“This follows the troubling attacker trend of using older, likely low-priority vulnerabilities that remain unpatched to fulfill a malicious purpose,” the researchers added.
The first active campaign observed began on March 18, but analysis showed activity for the Mirai Corona variant as early as December 2023.
Evidence that CVE-2024-7029 could be exploited has been available to the public since at least 2019, but the flaw wasn’t officially recognized and assigned a Common Vulnerabilities and Exposures (CVE) identifier until August 2024, researchers said. The CVE assignment is important because it formally acknowledges the vulnerability and helps organizations track and address it.
“A vulnerability without a formal CVE assignment may still pose a threat to your organization. Malicious actors who operate these botnets have been using new or under-the-radar vulnerabilities to proliferate malware,” the researchers said, adding that CVE-2024-7029 is another example of this increasingly popular attack trend.”
Daryna Antoniuk
is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.