A years-old high-severity flaw impacting AVTECH IP cameras has been weaponized by malicious actors as a zero-day to rope them into a botnet.
CVE-2024-7029 (CVSS score: 8.7), the vulnerability in question, is a “command injection vulnerability found in the brightness function of AVTECH closed-circuit television (CCTV) cameras that allows for remote code execution (RCE),” Akamai researchers Kyle Lefton, Larry Cashdollar, and Aline Eliovich said.
Details of the security shortcoming were first made public earlier this month by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), highlighting its low attack complexity and the ability to exploit it remotely.
“Successful exploitation of this vulnerability could allow an attacker to inject and execute commands as the owner of the running process,” the agency noted in an alert published August 1, 2024.
It’s worth noting that the issue remains unpatched. It impacts AVM1203 camera devices using firmware versions up to and including FullImg-1023-1007-1011-1009. The devices, although discontinued, are still used in commercial facilities, financial services, healthcare and public health, transportation systems sectors, per CISA.
Akamai said the attack campaign has been underway since March 2024, although the vulnerability has had a public proof-of-concept (PoC) exploit as far back as February 2019. However, a CVE identifier wasn’t issued until this month.
“Malicious actors who operate these botnets have been using new or under-the-radar vulnerabilities to proliferate malware,” the web infrastructure company said. “There are many vulnerabilities with public exploits or available PoCs that lack formal CVE assignment, and, in some cases, the devices remain unpatched.”
The attack chains are fairly straightforward in that they leverage the AVTECH IP camera flaw, alongside other known vulnerabilities (CVE-2014-8361 and CVE-2017-17215), to spread a Mirai botnet variant on target systems.
“In this instance, the botnet is likely using the Corona Mirai variant, which has been referenced by other vendors as early as 2020 in relation to the COVID-19 virus,” the researchers said. “Upon execution, the malware connects to a large number of hosts through Telnet on ports 23, 2323, and 37215. It also prints the string ‘Corona’ to the console on an infected host.”
The development comes weeks after cybersecurity firms Sekoia and Team Cymru detailed a “mysterious” botnet named 7777 (or Quad7) that has leveraged compromised TP-Link and ASUS routers to stage password-spraying attacks against Microsoft 365 accounts. As many as 12,783 active bots have been identified as of August 5, 2024.
“This botnet is known in open source for deploying SOCKS5 proxies on compromised devices to relay extremely slow ‘brute-force’ attacks against Microsoft 365 accounts of many entities around the world,” Sekoia researchers said, noting that a majority of the infected routers are located in Bulgaria, Russia, the U.S., and Ukraine.
While the botnet gets its name from the fact it opens TCP port 7777 on compromised devices, a follow-up investigation from Team Cymru has since revealed a possible expansion to include a second set of bots that are composed mainly of ASUS routers and characterized by the open port 63256.
“The Quad7 botnet continues to pose a significant threat, demonstrating both resilience and adaptability, even if its potential is currently unknown or unreached,” Team Cymru said. “The linkage between the 7777 and 63256 botnets, while maintaining what appears to be a distinct operational silo, further underscores the evolving tactics of the threat operators behind Quad7.”