Tech News

Malware Botnet Exploits Vulnerable AVTECH IP Cameras

Published

3 weeks ago

September 1, 2024

Researchers have uncovered the active exploitation of a zero-day vulnerability in AVTECH IP cameras by the Corona Mirai malware botnet. Since the cameras have reached end-of-life and no vulnerability fix is forthcoming, users are left with no choice but to discontinue their use.

Corona Mirai Malware Botnet Exploits Unpatched Zero-Day In AVTECH IP Cameras

According to a recent report from Akamai, numerous attacks from the Corona Mirai malware botnet have been targeting an unpatched vulnerability in AVTECH IP cameras.

The vulnerability in question, CVE-2024-7029, was identified by researcher Aline Eliovich and has been assigned a high severity rating with a CVSS score of 8.7. This flaw is present in the brightness function of the cameras located in the file /cgi-bin/supervisor/Factory.cgi. As per the researchers,

…the “brightness” argument in the “action=” parameter allows for command injection.

Despite being known for five years and having Proof of Concept (PoC) exploits available, this vulnerability was only assigned a CVE ID in August 2024. Although it remained unexploited until March 2024, Akamai researchers discovered active Corona campaigns leveraging this flaw. However, further analysis revealed that exploitation attempts date back to December 2023.

The affected firmware versions are FullImg-1023-1007-1011-1009 and earlier for AVTECH IP cameras AVM1203. Since these models are no longer supported, users are at risk until they replace the affected devices, as no fix will be provided to address the vulnerability.

Akamai observed the Corona Mirai malware botnet exploiting the zero-day vulnerability to execute malicious code through remote attacks. The attackers aim to execute a JavaScript file to fetch and load their primary malware payload. Once executed, the malware establishes connections to various hosts via Telnet on ports 23, 2323, and 37215.

CISA Warned Of The Vulnerability Earlier

Following the assignment of a CVE ID to this vulnerability, the US CISA issued an alert to users, cautioning about the ongoing exploitation. The advisory highlights the global threat landscape, with a particular focus on healthcare, commercial, and financial sectors—key users of vulnerable devices.

Given the absence of a patch for this vulnerability, CISA recommends implementing mitigations to reduce the associated risks. These measures include limiting network exposure for control systems/devices, isolating local control systems/devices behind firewalls, and securing remote access through VPNs.

We welcome your thoughts in the comments section.