Exploited AVTECH IP Camera Vulnerability Used by Cybercriminals for Botnet Assaults
An aged significant-severity weakness impacting AVTECH IP cameras has been utilized by malevolent individuals as a one-day exploit to draw them into a botnet.
The fault, known as CVE-2024-7029 (CVSS score: 8.7), is a “command injection vulnerability detected in the brightness function of AVTECH closed-circuit television (CCTV) cameras, allowing for remote code execution (RCE),” as per Akamai researchers Kyle Lefton, Larry Cashdollar, and Aline Eliovich mentioned.
The particulars of this security weakness were initially disclosed earlier this month by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), pointing out its simple attack complexity and the potential for remote exploitation.
“If exploited successfully, this vulnerability could authorize an attacker to inject and execute commands as if they were the owner of the running process,” the agency stated in an alert released on August 1, 2024.
It should be noted that this concern has not yet been rectified. It impacts AVM1203 camera equipment employing firmware versions up to and including FullImg-1023-1007-1011-1009. Despite being discontinued, these devices are still in operation in trade establishments, financial services, healthcare and public health, and transportation systems sectors, according to CISA.
Akamai revealed that the assault operation has been ongoing since March 2024, although there has been a public proof-of-concept (PoC) exploit as far back as February 2019. Nevertheless, a CVE identifier was only issued this month.
“Cybercriminals who manage these botnets have been exploiting new or less noticeable vulnerabilities to distribute malware,” mentioned the web infrastructure corporation. “There exist numerous vulnerabilities with public exploits or available PoCs lacking an official CVE assignment, and, in certain situations, the devices remain vulnerable.”
The assault sequences are rather simple in that they exploit the AVTECH IP camera, alongside other known vulnerabilities (CVE-2014-8361 and CVE-2017-17215), to transmit a Mirai botnet variant to targeted systems.
“In this case, the botnet is probably utilizing the Corona Mirai version, which has been indicated by other vendors as far back as 2020 concerning the COVID-19 pandemic,” the researchers stated. “Once activated, the malicious program connects to a plethora of hosts through Telnet on ports 23, 2323, and 37215. Additionally, it displays the term ‘Corona’ on the console of an infected host.”
This update follows reports from cybersecurity companies Sekoia and Team Cymru regarding a “mysterious” botnet named 7777 (or Quad7) that has been using compromised TP-Link and ASUS routers to execute password-spraying assaults on Microsoft 365 accounts. As many as 12,783 active bots were identified as of August 5, 2024.
“This botnet has been acknowledged in open-source for setting up SOCKS5 proxies on compromised devices to carry out extremely sluggish ‘brute-force’ attacks on Microsoft 365 accounts of various entities worldwide,” stated Sekoia researchers pointed out, noting that most of the infected routers are situated in Bulgaria, Russia, the U.S., and Ukraine.
While the botnet was named after the fact it opens TCP port 7777 on compromised devices, a subsequent investigation by Team Cymru revealed an expansion that includes a second array of bots primarily composed of ASUS routers, distinguished by the open port 63256.
“The Quad7 botnet remains a considerable threat, demonstrating both resilience and adaptability, even if its full extent is currently undisclosed or unreached,” as mentioned by Team Cymru pointed out. “The connection between the 7777 and 63256 botnets, while maintaining what seems like a separate operational unit, further underscores the evolving strategies of the threat operators behind Quad7.”
About Author
