Akamai’s Security Intelligence and Response Team (SIRT) has identified a new botnet campaign exploiting multiple vulnerabilities, including a zero-day vulnerability, CVE-2024-7029, discovered by Aline Eliovich. This command injection vulnerability exists in the brightness function of AVTECH IP camera devices, allowing for remote code execution (RCE). The botnet spreads a Mirai variant with strings referencing the COVID-19 virus, leveraging this vulnerability to infect systems.
CVE-2024-7029: This vulnerability affects AVTECH IP camera models with firmware versions up to AVM1203 FullImg-1023-1007-1011-1009. The flaw allows attackers to inject commands through the “brightness” parameter in the device’s web interface, leading to remote code execution.Exploitation: The botnet campaign not only exploits CVE-2024-7029 but also targets older, unpatched vulnerabilities, such as a Hadoop YARN RCE, CVE-2014-8361, and CVE-2017-17215. These vulnerabilities, though older, remain effective due to their widespread use in unpatched systems.Spread of Mirai Variant: The attack chain involves exploiting the identified vulnerabilities to download and execute a variant of the Mirai botnet. This variant, known as Corona Mirai, connects to command-and-control servers and spreads across networks, particularly through Telnet on ports 23, 2323, and 37215.Affected Devices: The vulnerability primarily impacts AVTECH IP camera models, specifically those running the AVM1203 firmware versions mentioned above. Despite these models being discontinued, they are still in use in critical infrastructure, including transportation authorities
Affected Models:
AVTECH IP Cameras: Specifically models running up to AVM1203 firmware versions FullImg-1023-1007-1011-1009.
1 post – 1 participant
2024-08-28 Akamai Beware the Unpatchable: Corona Mirai Botnet Spreads via Zero-Day (CVE-2024-7029) – command injection vulnerability found in the brightness function of AVTECH closed-circuit television (CCTV) Akamai’s Security Intelligence and Response Team (SIRT) has identified a new botnet campaign exploiting multiple vulnerabilities, including a zero-day vulnerability, CVE-2024-7029, discovered by Aline Eliovich. This command injection vulnerability exists in the brightness function of AVTECH IP camera devices, allowing for remote code execution (RCE). The botnet spreads a Mirai variant with strings referencing the COVID-19 virus, leveraging this vulnerability to infect systems.CVE-2024-7029: This vulnerability affects AVTECH IP camera models with firmware versions up to AVM1203 FullImg-1023-1007-1011-1009. The flaw allows attackers to inject commands through the “brightness” parameter in the device’s web interface, leading to remote code execution.Exploitation: The botnet campaign not only exploits CVE-2024-7029 but also targets older, unpatched vulnerabilities, such as a Hadoop YARN RCE, CVE-2014-8361, and CVE-2017-17215. These vulnerabilities, though older, remain effective due to their widespread use in unpatched systems.Spread of Mirai Variant: The attack chain involves exploiting the identified vulnerabilities to download and execute a variant of the Mirai botnet. This variant, known as Corona Mirai, connects to command-and-control servers and spreads across networks, particularly through Telnet on ports 23, 2323, and 37215.Affected Devices: The vulnerability primarily impacts AVTECH IP camera models, specifically those running the AVM1203 firmware versions mentioned above. Despite these models being discontinued, they are still in use in critical infrastructure, including transportation authoritiesAffected Models:AVTECH IP Cameras: Specifically models running up to AVM1203 firmware versions FullImg-1023-1007-1011-1009.DownloadDownload. Email me if you need the password scheme.File Information├── 06b1f09a62204472581e6aec381f96014bb6cc3fc1a9cef38bbcfe88bd82e499 r├── 0a566c39ecbc4107f954cb3e5e240ccaf0018dfac9b5062b4db7971fb3d9f413 elf ├── 135264de24d499877e95673b9cca737e488042813f41fef7817728a704323fe2 r├── 15a1d52c529d314bb2b5fa8b8bd6c6a496609a283dd0e78e595c929e720d1b5b├── 22553be649f76a060ebbdfd410e295b66803e9c49d23369a726be2c5a25733ab sh ├── 25945c4fe38ed2008f027bd1484b89867b23528c738812d317ddf57f48666b91 r├── 372eefdc4bf9f4a4382db2762fcf9a9db559c9d4fff2ee5f5cf5362418caaa92 r├── 3995a7e7eb8eeafb0b6da2c3813e61d11993a820d478c87809136de79d8f8280 sh ├── 40d8f662c187b53fd6fdeb70db9eb262b707e557d3fa4e5e4eacaeaa03ac45f2 r├── 4826b0194fbd924aa57b9c4ab1e017f0f45f547189374b0ea761d415fa4285ff elf ├── 4f50d318688c80f08eb7fad6f8788cae459c3420b3b9eb566f936edd7a780ae1 sh ├── 5e264cb009c4d84b6180e47b9ceda3af8897b17b88fccc9c2914706d66abd1d1 r├── 6ad5984bc9af7af6962a080bbb1a35bb56e8671c4b9c1d44e88da5a3f6b9aa82 r├── 774947944ea370592a30478bb3f26081799f7d7df975a6735e620d3442e7803b elf ├── 8ac82a770cffbbc8fba73554d7caa117ef6d37ffee468665b95bc406449f91b5 r├── 947f517d3b833cc046b2ea0540aad199b7777fb03057122fb0b618828abdc212 r├── 9e9e481bb448438572c2695469c85f773ddcd952025e45bee33bbfce2531c656 r├── b0f7ef937d77061515907c54967a44da3701e0d2af143164bbf44bb4fc6f26af sh ├── c0ae1eb249705f61d45ca747c91c02a411557a28792f4064c1d647abb580bc10 x86 elf ├── c15bbfb85bfd8305fad8cc0e0d06cbe825e1e6fc6d8dbe5a8d1ac4243bd77d0c elf ├── cfcae524309a220a48327c50bf32bf5ed3aed5698855b5da9f1ae932fb2df90c elf ├── e82192fbe00bc7205abe786155bbfc0548f5c6ee9819a581e965526674f3cc57 mips elf └── f4bf61fc335db4f3e7d7d89b534bc1e6ead66a51938e119ea340fe95039935e3 mips elf
Article Link: contagio: 2024-08-28 CORONA MIRAI Botnet Spreads via Zero-Day (CVE-2024-7029) – command injection vulnerability found in the brightness function of AVTECH closed-circuit television (CCTV) Samples
1 post – 1 participant
Read full topic