A multi-year high-severity flaw affecting AVTECH IP cameras has been weaponized by attackers as a zero-day tool to tie them into botnets.
CVE-2024-7029 (CVSS Score: 8.7), the vulnerability in question is “a remote code execution (RCE) command injection vulnerability discovered in the brightness feature of AVTECH CCTV cameras.” , Akamai researchers Kyle Lefton, Larry Cashdollar and Aline Eliovich said.
Details of the security flaw were first published earlier this month by the US Cybersecurity and Infrastructure Security Agency (CISA), highlighting its low attack complexity and remote exploitability.
“Successful exploitation of this vulnerability could allow an attacker to enter and execute commands as the owner of a running process,” the agency notes. noted in a notice published on August 1, 2024.
It should be noted that the problem remains unsolved. It affects AVM1203 camera devices using firmware versions up to and including FullImg-1023-1007-1011-1009. The devices, although discontinued, are still used in commercial establishments, financial services, healthcare and public health, transportation systems under CISA.
Akamai said the attack campaign has been ongoing since March 2024, although the vulnerability had public proof of concept (PoC). back in February 2019. However, the CVE ID was only released this month.
“The attackers running these botnets have used new or hidden vulnerabilities to spread malware,” the web infrastructure company said. “There are many vulnerabilities with public exploits or available PoCs that do not have an official CVE designation, and in some cases devices remain unpatched.”
The attack chains are quite simple because they use the AVTECH IP camera along with other known vulnerabilities (CVE-2014-8361 and CVE-2017-17215), spread a The Mirai botnet variant on target systems.
“In this case, the botnet is likely using the referenced Corona Mirai variant other suppliers already in 2020 for the COVID-19 virus,” the researchers said. “Once executed, the malware connects to a large number of hosts via Telnet on ports 23, 2323, and 37215. It also prints the string ‘Corona’ to the console on the infected host.” .
The development comes weeks after cybersecurity firms Sekoia and Team Cymru detailed a “mysterious” botnet called 7777 (or Quad7) that uses compromised TP-Link and ASUS routers to launch password spraying attacks on Microsoft accounts 365. As of August 5, 2024, 12,783 active bots were detected.
“This botnet is known in open source to deploy SOCKS5 proxies on compromised devices to transmit very slow ‘brute force’ attacks against Microsoft 365 accounts of many organizations around the world,” Sekoia researchers saidnoting that most of the infected routers are located in Bulgaria, Russia, USA and Ukraine.
While the botnet got its name from the fact that it opens up TCP port 7777 on compromised devices, further investigation by Team Cymru has since revealed a possible expansion to include a second set of bots consisting mainly of routers ASUS and are characterized by open port 63256.
“The Quad7 botnet continues to pose a significant threat, demonstrating both resilience and adaptability, even if its potential is currently unknown or unreachable.” Team Cymru said. “The connection between the 7777 and 63256 botnets, while maintaining what appears to be a clear operational bunker, further highlights the evolving tactics of the threat operators behind Quad7.”
