An unpatched vulnerability present in CCTV cameras generally utilized in important infrastructure is being actively exploited to unfold a Mirai variant malware, Akamai researchers have warned.
The command injection vulnerability, CVE-2024-7029, is discovered within the brightness perform of AVTECH CCTV cameras that permits for distant code execution (RCE).
The vulnerability was highlighted in a Cybersecurity and Infrastructure Safety Company (CISA) industrial management system (ICS) advisory in August 2024, which cited its lack of assault complexity, distant exploitation and recognized public exploitation.
Learn now: CISA Urges Software program Makers to Eradicate OS Command Injection Vulnerabilities
AVTECH IP digicam gadgets are used worldwide, together with by transportation and different important infrastructure organizations.
The flaw has a CVSS rating 8.7, carrying a ‘Excessive’ ranking. The proof-of-concept (CoP) for CVE-2024-7029 has been publicly accessible since no less than 2019, however was not given a CVE project till August 2024.
There may be at the moment no patch accessible.
How Attackers Exploit the CCTV Vulnerability
A botnet marketing campaign spreading the Corona Mirai malware variant has been noticed by Akamai to be exploiting CVE-2024-7029. The primary noticed lively marketing campaign started on March 18, 2024, however evaluation reveals that exercise has taken place as early as December 2023.
As soon as injected the botnet spreads a Mirai variant with string names that reference the COVID-19 virus, this has been noticed since no less than 2020.
The vulnerability will be executed remotely with elevated privileges.
Within the highlighted marketing campaign, the menace actors exploited the command injection vulnerability to obtain and run a JavaScript file to fetch and cargo the Mirai malware payload.
Upon execution, the malware connects to numerous hosts by Telnet on ports 23, 2323, and 37215. It additionally prints the string “Corona” to the console on an contaminated host.
Akamai’s Safety Intelligence and Response Group (SIRT) stated it noticed the marketing campaign concentrating on a number of different zero-day vulnerabilities that stay unpatched, together with a Hadoop YARN RCE (CVE-2014-8361) and Huawei gadgets affected by CVE-2017-17215.
The marketing campaign demonstrates the “troubling” attacker development of utilizing older, possible low-priority, vulnerabilities that stay unpatched to meet a malicious goal, the researchers famous.
“Malicious actors who function these botnets have been utilizing new or under-the-radar vulnerabilities to proliferate malware. CVE-2024-7029 is one other instance of utilizing the latter, which is changing into an more and more fashionable assault development noticed by the SIRT,” they wrote.
For vulnerabilities the place there isn’t any accessible patch and no different manner of remediating the difficulty, the researchers suggested organizations to decommission the impacted {hardware} and software program.
