Check your IP cameras: There’s a new Mirai botnet on the rise

#### [Security](/security/)Check your IP cameras: There’s a new Mirai botnet on the rise=============================================================Also, US offering $2.5M for Belarusian hacker, Backpage kingpins jailed, additional MOVEit victims, and more————————————————————————————————————[Brandon Vigliarolo](/Author/Brandon-Vigliarolo ‘Read more by this author’) Sat 31 Aug 2024 // 18:22 UTC [](https://www.reddit.com/submit?url=https://www.theregister.com/2024/08/31/ip_cameras_mirai_botnet/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dreddit&title=Check%20your%20IP%20cameras%3a%20There%27s%20a%20new%20Mirai%20botnet%20on%20the%20rise) [](https://twitter.com/intent/tweet?text=Check%20your%20IP%20cameras%3a%20There%27s%20a%20new%20Mirai%20botnet%20on%20the%20rise&url=https://www.theregister.com/2024/08/31/ip_cameras_mirai_botnet/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dtwitter&via=theregister) [](https://www.facebook.com/dialog/feed?app_id=1404095453459035&display=popup&link=https://www.theregister.com/2024/08/31/ip_cameras_mirai_botnet/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dfacebook) [](https://www.linkedin.com/shareArticle?mini=true&url=https://www.theregister.com/2024/08/31/ip_cameras_mirai_botnet/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dlinkedin&title=Check%20your%20IP%20cameras%3a%20There%27s%20a%20new%20Mirai%20botnet%20on%20the%20rise&summary=Also%2c%20US%20offering%20%242.5M%20for%20Belarusian%20hacker%2c%20Backpage%20kingpins%20jailed%2c%20additional%20MOVEit%20victims%2c%20and%20more) [](https://api.whatsapp.com/send?text=https://www.theregister.com/2024/08/31/ip_cameras_mirai_botnet/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dwhatsapp) in brief A series of IP cameras still used all over the world, despite being well past their end of life, have been exploited to create a new Mirai botnet.The vulnerability (CVSS 8.7, [CVE-2024-7029](https://nvd.nist.gov/vuln/detail/CVE-2024-7029)) was reported to CISA by security researchers from Akamai, who [said](https://www.akamai.com/blog/security-research/2024-corona-mirai-botnet-infects-zero-day-sirt) the campaign they discovered leveraging the remote code execution (RCE) vulnerability in AVTECH AVM1203 IP cameras they found has been active since early 2024, but the vulnerability is much older.’The proof of concept (PoC) for CVE-2024-7029 has been publicly available since at least 2019, but it never had a proper CVE assignment until August 2024,’ Akamai threat researchers Aline Eliovich, Kyle Lefton and Larry Cashdollar wrote. ![](https://pubads.g.doubleclick.net/gampad/ad?co=1&iu=/6978/reg_security/front&sz=300×50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2ZtNohJP4YdlkfUD3lpZJ0gAAAoU&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0)Support for AVTECH AVM1203 cameras ended in 2019 as well, and it doesn’t appear the manufacturer plans to release a patch. ![](https://pubads.g.doubleclick.net/gampad/ad?co=1&iu=/6978/reg_security/front&sz=300×50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZtNohJP4YdlkfUD3lpZJ0gAAAoU&t=ct%3Dns%26unitnum%3D426raptor%3Dfalcon%26pos%3Dmid%26test%3D0) ![](https://pubads.g.doubleclick.net/gampad/ad?co=1&iu=/6978/reg_security/front&sz=300×50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZtNohJP4YdlkfUD3lpZJ0gAAAoU&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0)The exploit doesn’t require a user to be authenticated, and allows an attacker to abuse a flaw in the camera’s ‘brightness’ argument in the ‘action=’ parameter to inject commands with the same privileges as the owner of the device.’Despite the model in question having been discontinued for several years … these devices are still used worldwide, including by transportation authorities and other critical infrastructure entities,’ Akamai notes. ![](https://pubads.g.doubleclick.net/gampad/ad?co=1&iu=/6978/reg_security/front&sz=300×50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZtNohJP4YdlkfUD3lpZJ0gAAAoU&t=ct%3Dns%26unitnum%3D426raptor%3Dfalcon%26pos%3Dmid%26test%3D0)Several other old and established vulnerabilities are being used to spread the [Mirai](https://www.theregister.com/2023/11/23/zeroday_routers_mirai_botnet/) variant, which Akamai said appears to be the same COVID-19-themed version that’s been floating around since 2020.With that in mind, the other vulnerabilities being abused to spread the botnet include a Hadoop YARN RCE, a 10-year old CVSS 9.8 vulnerability in Realtek SDK ([CVE-2014-8361](https://nvd.nist.gov/vuln/detail/CVE-2014-8361)) and a [well-documented flaw](https://www.theregister.com/2019/03/28/huawei_mirai_router_vulnerability/) in Huawei HG532 routers ([CVE-2017-17215](https://nvd.nist.gov/vuln/detail/CVE-2017-17215)).With those other vulnerabilities also present in aged software and hardware, consider this entire story a reminder to not leave out-of-service devices and outdated software on your networks. ### Critical vulnerabilities of the weekThis week, we bring to you two rather serious CVEs that have been spotted under active exploitation – one in Apache OFBiz, and the other in Google Chrome V8.In the first case, we have [CVE-2024-38856](https://nvd.nist.gov/vuln/detail/CVE-2024-38856) found in Apache’s open source ERP platform. With a CVSS score of 9.8, this issue in all versions of OFBiz through 18.12.14 can lead to unauthenticated endpoints improperly allowing execution of screen rendering code due to an incorrect authentication vulnerability.In the latter case, the V8 JavaScript engine in Chrome versions prior to 128.0.6613.84 allowed a remote attacker to potentially exploit heap corruption using a malicious HTML page. The vulnerability is tracked as [CVE-2024-7965](https://nvd.nist.gov/vuln/detail/CVE-2024-7965), with a CVSS score of 8.8.### Add another half million to those MOVEit numbersIt’s been a while since we’ve had to mention a new [MOVEit victim](https://www.theregister.com/2023/11/20/moveit_victim_77m_medical/) coming forward – yet here we are.The Texas Dow Employees Credit Union filed a data breach [notification](https://www.maine.gov/agviewer/content/ag/985235c7-cb95-4be2-8792-a1252b4f8318/454421ae-4902-4d65-bf62-732bb0987b88.html) in Maine last week indicating that data belonging to 500,474 customers had been exposed when MOVEit was [compromised](https://www.theregister.com/2023/06/01/moveit_transfer_zero_day/) back in May 2023.TDECU said it took immediate action to mitigate the issue when it was notified – only it didn’t appear to have discovered the matter until the end of July 2024.There was no compromise to TDECU’s internal systems, as has been the case with other victims of the MOVEit breach, but that doesn’t change the fact some valuable data was stolen, including names, birthdates, social security numbers, government ID numbers, bank account info and other sensitive PII.With nearly 80 million people impacted by the MOVEit breach, and apparently more victims still to come forward, it’s entirely unclear what the ultimate count might be.### US Secret Service offers $2.5M bounty for Belarusian hackerWeeks after [arresting](https://www.theregister.com/2024/08/13/j_p_morgan_suspect_indicted_charged/) a notorious Belarusian-Ukrainian hacker, the US government is putting out a hefty reward for information leading to the apprehension of one of his close associates.The US Secret Service placed a reward of up to $2.5 million on Volodymyr Kadariya, one of two associates of the recently-arrested Maksim Silnikau who have been charged alongside him.In Kadariya’s case, he’s been charged – like Silnikau – with allegedly operating a decade-long malvertising ring that was used to transmit the notorious [Angler Exploit Kit](https://www.theregister.com/2016/08/16/angler_8734564567/), as well as crimes like wire fraud and conspiracy to commit wire fraud.While Silnikau may have been nabbed, neither Kadariya or the pair’s other alleged coconspirator, Russian national Andrei Tarasov, have been apprehended. If they’re ever caught, they may face decades in prison – the same thing Silnikau is facing on his own right now.### Backpage owners sentencedBackpage, the notorious website that was a haven for underage sex trafficking in the United States before it was shut down in 2018, has just had three more of its leaders sentenced to prison.Michael Lacey, Scott Spear and John ‘Jed’ Brunst, [identified](https://www.justice.gov/opa/pr/three-owners-notorious-prostitution-website-backpagecom-sentenced) by the Department of Justice as the owners of the site, were each sentenced to three years of supervised release after a decade in prison, with Lacey only getting five years behind bars, according to DOJ.Backpage CEO Carl Ferrer pled [guilty](https://www.theregister.com/2018/04/13/backpage_dotcom_pleads_quilty_to_money_laundering_and_human_trafficking/) to facilitating prostitution and engaging in money laundering shortly after the site was seized; the site’s sales and marketing director Dan Hyer also pled guilty to similar charges. James Larkin, another individual charged in the case, died before the start of the trial, DOJ notes.Backpage made more than $500 million in its eight years of operation as an illegal prostitution and human trafficking-friendly site.### CISA launches incident reporting portalIn a bid to streamline the often onerous cyber incident reporting process, CISA has launched a new [Services Portal website](https://myservices.cisa.gov/irf) where organizations can report incidents, share reports with third parties and chat with CISA officials.Along with logging in with a login.gov account, reports can also be submitted anonymously via the same site.’Any organization experiencing a cyber attack or incident should report it — for its own benefit, and to help the broader community,’ said CISA Executive Assistant Director for Cybersecurity Jeff Greene. ‘CISA and our government partners have unique resources and tools to aid with response and recovery, but we can’t help if we don’t know about an incident.’The portal’s availability comes with a little over a year until CISA is set to issue mandatory reporting rules specified under the Cyber Incident Reporting for Critical Infrastructure Act ([CIRCIA](https://www.theregister.com/2024/03/28/critical_infrastructure_cyberattack_reporting/)) signed into law in 2022.Once the rule goes into effect – President Biden gave CISA an October 2025 deadline to finalize – substantial cybersecurity incidents at critical infrastructure organizations will have to be reported to CISA within 72 hours.Consider this your opportunity to get some practice in. ® [Whitepaper: Top 5 Tips For Navigating Your SASE Journey](https://go.theregister.com/tl/2386/-14369/top-5-tips-for-navigating-your-sase-journey?td=wptl2386bt) Share [](https://www.reddit.com/submit?url=https://www.theregister.com/2024/08/31/ip_cameras_mirai_botnet/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dreddit&title=Check%20your%20IP%20cameras%3a%20There%27s%20a%20new%20Mirai%20botnet%20on%20the%20rise) [](https://twitter.com/intent/tweet?text=Check%20your%20IP%20cameras%3a%20There%27s%20a%20new%20Mirai%20botnet%20on%20the%20rise&url=https://www.theregister.com/2024/08/31/ip_cameras_mirai_botnet/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dtwitter&via=theregister) [](https://www.facebook.com/dialog/feed?app_id=1404095453459035&display=popup&link=https://www.theregister.com/2024/08/31/ip_cameras_mirai_botnet/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dfacebook) [](https://www.linkedin.com/shareArticle?mini=true&url=https://www.theregister.com/2024/08/31/ip_cameras_mirai_botnet/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dlinkedin&title=Check%20your%20IP%20cameras%3a%20There%27s%20a%20new%20Mirai%20botnet%20on%20the%20rise&summary=Also%2c%20US%20offering%20%242.5M%20for%20Belarusian%20hacker%2c%20Backpage%20kingpins%20jailed%2c%20additional%20MOVEit%20victims%2c%20and%20more) [](https://api.whatsapp.com/send?text=https://www.theregister.com/2024/08/31/ip_cameras_mirai_botnet/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dwhatsapp) #### More about* [Crime](/Tag/Crime/)* [Cybersecurity](/Tag/Cybersecurity/)* [Cybersecurity and Infrastructure Security Agency](/Tag/Cybersecurity%20and%20Infrastructure%20Security%20Agency/) More like these × ### More about* [Crime](/Tag/Crime/)* [Cybersecurity](/Tag/Cybersecurity/)* [Cybersecurity and Infrastructure Security Agency](/Tag/Cybersecurity%20and%20Infrastructure%20Security%20Agency/)* [Data Breach](/Tag/Data%20Breach/)* [Hacker](/Tag/Hacker/) ### Narrower topics* [CSAM](/Tag/CSAM/)* [Hacking](/Tag/Hacking/)* [RSA Conference](/Tag/RSA%20Conference/)* [Zero trust](/Tag/Zero%20trust/) ### Broader topics* [Federal government of the United States](/Tag/Federal%20government%20of%20the%20United%20States/)* [Security](/Tag/Security/) #### More aboutShare [](https://www.reddit.com/submit?url=https://www.theregister.com/2024/08/31/ip_cameras_mirai_botnet/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dreddit&title=Check%20your%20IP%20cameras%3a%20There%27s%20a%20new%20Mirai%20botnet%20on%20the%20rise) [](https://twitter.com/intent/tweet?text=Check%20your%20IP%20cameras%3a%20There%27s%20a%20new%20Mirai%20botnet%20on%20the%20rise&url=https://www.theregister.com/2024/08/31/ip_cameras_mirai_botnet/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dtwitter&via=theregister) [](https://www.facebook.com/dialog/feed?app_id=1404095453459035&display=popup&link=https://www.theregister.com/2024/08/31/ip_cameras_mirai_botnet/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dfacebook) [](https://www.linkedin.com/shareArticle?mini=true&url=https://www.theregister.com/2024/08/31/ip_cameras_mirai_botnet/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dlinkedin&title=Check%20your%20IP%20cameras%3a%20There%27s%20a%20new%20Mirai%20botnet%20on%20the%20rise&summary=Also%2c%20US%20offering%20%242.5M%20for%20Belarusian%20hacker%2c%20Backpage%20kingpins%20jailed%2c%20additional%20MOVEit%20victims%2c%20and%20more) [](https://api.whatsapp.com/send?text=https://www.theregister.com/2024/08/31/ip_cameras_mirai_botnet/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dwhatsapp) POST A COMMENT #### More about* [Crime](/Tag/Crime/)* [Cybersecurity](/Tag/Cybersecurity/)* [Cybersecurity and Infrastructure Security Agency](/Tag/Cybersecurity%20and%20Infrastructure%20Security%20Agency/) More like these × ### More about* [Crime](/Tag/Crime/)* [Cybersecurity](/Tag/Cybersecurity/)* [Cybersecurity and Infrastructure Security Agency](/Tag/Cybersecurity%20and%20Infrastructure%20Security%20Agency/)* [Data Breach](/Tag/Data%20Breach/)* [Hacker](/Tag/Hacker/) ### Narrower topics* [CSAM](/Tag/CSAM/)* [Hacking](/Tag/Hacking/)* [RSA Conference](/Tag/RSA%20Conference/)* [Zero trust](/Tag/Zero%20trust/) ### Broader topics* [Federal government of the United States](/Tag/Federal%20government%20of%20the%20United%20States/)* [Security](/Tag/Security/) #### TIP US OFF[Send us news](https://www.theregister.com/Profile/contact/)[#### US sues Georgia Tech over alleged cybersecurity failings as a Pentagon contractorRap sheet spells out major no-nos after disgruntled staff blow whistleSecurity8 days -| 22](/2024/08/23/us_georgia_tech_lawsuit/?td=keepreading) [#### RansomHub hits 210 victims in just 6 monthsThe ransomware gang recruits high-profile affiliates from LockBit and ALPHVCyber-crime19 hrs -|](/2024/08/30/ransomhub/?td=keepreading) [#### Plane tracker app FlightAware admits user data exposed for yearsUpdated Privacy blunder alert omits number of key detailsSecurity11 days -| 42](/2024/08/20/flightaware_data_exposure/?td=keepreading) [#### When building the future, the past is no longer a guideTomorrow’s engineering challenges are more than a core problemSponsored Feature](/2024/08/21/when_youre_building_the_future/?td=keepreading) [#### National Public Data tells officials ‘only’ 1.3M people affected by intrusionInvestigators previously said the number was much, much higherCyber-crime12 days -| 6](/2024/08/19/national_public_data_breach/?td=keepreading) [#### RansomHub-linked EDR-killing malware spotted in the wildInfosec in brief Also: Your external-facing NetSuite sites need a review; five popular malware varieties for Q2, and moreSecurity13 days -| 1](/2024/08/19/ransomhub_edrkilling_malware/?td=keepreading) [#### Brain Cipher claims attack on Olympic venue, promises 300 GB data leakFrench police reckon financial system targeted during Summer GamesCyber-crime2 days -| 4](/2024/08/29/brain_cipher_olympic_attack/?td=keepreading) [#### Enzo Biochem ordered to cough up $4.5 million over lousy security that led to ransomware disasterThree state attorneys general probed the company and found plenty to chastiseCyber-crime17 days -| 3](/2024/08/14/enzo_biochem_ransomware_fine/?td=keepreading) [#### Tired of airport security queues? SQL inject yourself into the cockpit, claim researchersUpdated Infosec hounds say they spotted vulnerability during routine travel in the USResearch1 day -| 15](/2024/08/30/sql_injection_known_crewmember/?td=keepreading) [#### France charges Telegram CEO with multiple crimesTesting the idea that a platform boss can be responsible for the acts of others, or not helping to investigate themLegal2 days -| 100](/2024/08/30/french_telegram_ceo/?td=keepreading) [#### Ransomware batters critical industries, but takedowns hint at reliefWhether attack slowdown continues downward trend is the million dollar question that security researchers can’t answerCyber-crime9 days -| 1](/2024/08/22/critical_industrial_ransomware/?td=keepreading) [#### 110K domains targeted in ‘sophisticated’ AWS cloud extortion campaignUpdated If you needed yet another reminder of what happens when security basics go awryResearch10 days -| 4](/2024/08/21/aws_extortion_campaign/?td=keepreading)

Related Tags:
CVE-2024-38856

CVE-2024-7029

NAICS: 458 – Clothing

Clothing Accessories

Shoe

Jewelry Retailers

NAICS: 921 – Executive

Legislative

Other General Government Support

NAICS: 54 – Professional

Scientific

Technical Services

NAICS: 335 – Electrical Equipment

Appliance

Component Manufacturing

NAICS: 45 – Retail Trade – Fuel

Other

NAICS: 334 – Computer And Electronic Product Manufacturing

NAICS: 541 – Professional

Scientific

Technical Services

Associated Indicators:

Threat Intel Solutions

Check your IP cameras: There’s a new Mirai botnet on the rise

Search

Popular Posts

2024 macOS Malware Review | Infostealers, Backdoors, and APT Campaigns Targeting the Enterprise

The great Google Ads heist: criminals ransack advertiser accounts via fake Google ads

MintsLoader: StealC and BOINC Delivery

Categories

Archives

Tags

Follow Us