Mirai Botnet Targets TBK DVRs with Command Injection Exploit
▼ Summary
– A new Mirai botnet variant exploits CVE-2024-3721, a command injection vulnerability in TBK DVR-4104 and DVR-4216 devices, using a published PoC.
– The attack involves sending a crafted POST request to execute shell commands, dropping an ARM32 binary to enlist devices into the botnet for DDoS and malicious traffic.
– Kaspersky detected around 50,000 exposed vulnerable devices, with infections primarily in China, India, Egypt, Ukraine, Russia, Turkey, and Brazil.
– It remains unclear if TBK Vision has patched the flaw, and the affected devices are rebranded under multiple brands, complicating patch availability.
– The researcher also disclosed similar flaws in EoL D-Link devices in 2024, showing rapid exploitation by malware authors after PoC disclosure.
A dangerous new Mirai botnet campaign is actively compromising vulnerable TBK DVR devices through a critical security flaw, turning them into weapons for large-scale cyberattacks. Security experts have observed attackers exploiting CVE-2024-3721, a command injection vulnerability in TBK DVR-4104 and DVR-4216 models, to deploy malicious payloads and recruit devices into their botnet army.
The vulnerability first came to light when researcher “netsecfish” published technical details in April 2024, demonstrating how specially crafted POST requests could execute arbitrary commands on affected devices. Kaspersky’s threat intelligence team recently confirmed active exploitation attempts in their honeypot systems, with attackers using the researcher’s proof-of-concept to deliver an ARM32-based Mirai variant. Once infected, devices connect to remote command servers, enabling threat actors to weaponize them for DDoS attacks, traffic routing, and other malicious activities.
While initial estimates suggested over 114,000 internet-connected DVRs might be vulnerable, current scans indicate around 50,000 remain exposed globally. Geographical data from Kaspersky shows concentrated infections in China, India, Egypt, and several other countries, though detection gaps likely exist due to regional software restrictions.
The patch status for affected devices remains uncertain. TBK Vision has not publicly addressed whether firmware updates are available, and the situation is complicated by widespread device rebranding. These DVR models circulate under numerous labels including Novo, CeNova, QSee, and Night OWL, making coordinated remediation challenging.
This incident follows a pattern of rapid weaponization—netsecfish previously uncovered similar flaws in obsolete D-Link hardware, which malware operators exploited within days of disclosure. The trend underscores how cybercriminals aggressively repurpose public vulnerability research to expand their attack infrastructure.
Owners of TBK-branded or rebadged DVR equipment should isolate vulnerable devices from the internet immediately while awaiting vendor guidance. Without proper mitigation, these compromised systems risk becoming persistent threats in broader attack campaigns.
(Source: BLEEPING COMPUTER)
