Analysis of the latest Mirai wave exploiting TBK DVR devices with CVE-2024-3721

SUMMARY :

A new wave of Mirai botnet attacks is exploiting CVE-2024-3721 to target TBK DVR devices. The campaign uses a POST request to execute system commands without authorization, downloading and running an ARM32 binary. This Mirai variant includes features like RC4 string encryption, anti-VM checks, and anti-emulation techniques. The malware verifies if it's running in a virtual environment and checks for allowed directories. Infected devices are primarily located in China, India, Egypt, Ukraine, Russia, Turkey, and Brazil. Over 50,000 exposed DVR devices are potentially vulnerable. The botnet's main goal is to conduct DDoS attacks. Updating vulnerable devices and performing factory resets are recommended as protective measures.

OPENCTI LABELS :

botnet,ddos,anti-emulation,mirai,iot,dvr,anti-vm,rc4 encryption,cve-2024-3721


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Analysis of the latest Mirai wave exploiting TBK DVR devices with CVE-2024-3721