### Major Flaw in AVTECH Security Cameras Used to Distribute Mirai Malware
In a troubling turn of events for online security, cybercriminals have been taking advantage of a serious flaw in a popular security camera model, the AVM1203 from the Taiwan-based firm AVTECH, to distribute the infamous Mirai malware. This malware is notorious for transforming compromised Internet of Things (IoT) devices into botnets capable of executing large-scale distributed denial-of-service (DDoS) attacks. The flaw, designated CVE-2024-7029, has been actively exploited since March, according to network security firm Akamai.
#### The Flaw: A Five-Year-Old Vulnerability
The AVM1203 surveillance camera, which is no longer available for purchase or supported by AVTECH, possesses a zero-day vulnerability that has been acknowledged at least since 2019. This issue is found in the “brightness argument in the ‘action='” parameter within the camera’s firmware, particularly in the file `/cgi-bin/supervisor/Factory.cgi`. The vulnerability facilitates command injection, allowing attackers to run malicious code remotely on the compromised devices.
Even though the flaw has been publicly recognized for several years, it wasn’t formally designated until recently with the CVE-2024-7029 identifier. The lack of ongoing support for the camera means that no security updates are provided, forcing users to consider replacing the device to lessen the threat.
#### The Mirai Botnet: An Ongoing Danger
Mirai malware first gained notoriety in September 2016 when a botnet consisting of compromised IoT devices executed a massive DDoS attack that incapacitated the cybersecurity news site Krebs on Security. The botnet, made up of infected webcams, routers, and other IoT devices, could launch DDoS attacks of unprecedented magnitude. In the weeks that followed, Mirai was utilized to assault Internet service providers and other prominent organizations, such as a significant attack on dynamic domain name provider Dyn, leading to widespread disruptions of online services.
The scenario escalated when the creators of Mirai made its source code publicly available, enabling nearly anyone to develop their own botnets using the malware. This decision resulted in a surge of Mirai variants, each able to carry out destructive DDoS attacks.
#### Recent Exploits and Insights
Akamai’s Security Intelligence and Response Team (SIRT) has been actively tracking the recent exploitation of the AVM1203 flaw. By employing a “honeypot”—a network of devices designed to replicate the vulnerable cameras—Akamai has been able to witness the attacks live. However, the honeypot configuration does not provide a precise estimate of the botnet’s scale.
The attackers have exploited the vulnerability to deploy a version of the Mirai malware, specifically the Corona Mirai variant, which has been associated with other attacks since 2020. The malware propagates by connecting to numerous hosts via Telnet on ports 23, 2323, and 37215. Once executed, the malware displays the string “Corona” on the console of an infected device, indicating this specific variant.
#### Wider Implications and Recommendations
The exploitation of this flaw underscores the ongoing dangers posed by unsupported and unpatched IoT devices. The AVM1203 camera exemplifies how outdated technology can serve as a conduit for widespread cyberattacks. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has also released alerts regarding this vulnerability, urging heightened awareness in securing IoT devices.
For individuals still using the AVM1203 or similar unsupported gadgets, the most advisable step is to replace them with more secure, modern alternatives. Furthermore, it is crucial to ensure that all IoT devices are not accessible with default credentials, as this represents a frequent entry point for attackers.
#### Conclusion
The exploitation of the AVM1203 vulnerability to disseminate Mirai malware highlights the critical need for keeping security measures current for all Internet-connected devices. As IoT devices become increasingly woven into our everyday lives, the urgency for strong cybersecurity practices continues to rise. Users must stay alert, ensuring that their devices are secure and supported, to avoid becoming unintentional participants in the next significant cyberattack.
