Cyber security researchers have warned of a new large-scale campaign exploiting security flaws in AVTECH IP cameras and Huawei HG532 routers to connect devices to a Mirai botnet variant called Murdoc_Botnet.
The ongoing activity “demonstrates advanced capabilities by exploiting vulnerabilities to compromise devices and create extensive botnet networks,” Qualys security researcher Shilpesh Trivedi said in an analysis.
It is known that the company has been active since at least July 2024, p more than 1370 systems infected to date. Most of the cases of infection were located in Malaysia, Mexico, Thailand, Indonesia and Vietnam.
Evidence shows that the botnet exploits known security flaws such as CVE-2017-17215 and CVE-2024-7029 to gain initial access to Internet of Things (IoT) devices and download the next-stage payload via a shell script.
The script, for its part, extracts the botnet malware and runs it depending on the processor architecture. The ultimate goal of these attacks is to make the botnet a weapon to carry out Distributed Denial of Service (DDoS) attacks.
The development comes weeks after the release of a Mirai botnet variant called gayfemboy found exploiting a recently discovered security flaw affecting Four-Faith industrial routers since early November 2024. In the middle of 2024. Neither does Akamai revealed that CVE-2024-7029 was used by abusers to include AVTECH devices in a botnet.
Details emerged last week of another large-scale DDoS attack campaign targeting major Japanese corporations and banks from late 2024 using an IoT botnet created by exploiting vulnerabilities and weak credentials. Some of the other targets are centered around the US, Bahrain, Poland, Spain, Israel and Russia.
DDoS activity has been found to single out the telecommunications, technology, hosting, cloud computing, banking, gaming and financial services sectors. More than 55% of hacked devices are located in India, followed by South Africa, Brazil, Bangladesh and Kenya.
“The botnet contains variants of malware derived from Mirai and BEGIN,” Trend Micro said. “Botnet commands include those that can include various DDoS attack techniques, update malware, and include proxy services.”
The attacks involve infiltrating IoT devices to deploy a bootloader malware that receives the actual payload, which then connects to a command and control (C2) server and waits for further instructions for DDoS attacks and other purposes.
To guard against such attacks, it is recommended to monitor suspicious processes, events, and network traffic caused by the execution of any untrusted binaries/scripts. It is also recommended to apply firmware updates and change the default username and password.
