Nexcorium Botnet Exploits IoT Vulnerabilities to Launch DDoS Attacks
Cybersecurity researchers have identified a new variant of the Mirai botnet, dubbed Nexcorium, actively exploiting vulnerabilities in Internet of Things (IoT) devices to orchestrate large-scale Distributed Denial-of-Service (DDoS) attacks. This development underscores the persistent threat posed by IoT-targeted malware and the critical need for robust security measures.
Exploitation of TBK DVR Vulnerability
Nexcorium primarily targets TBK DVR-4104 and DVR-4216 digital video recorders by exploiting a command injection vulnerability known as CVE-2024-3721, which carries a CVSS score of 6.3. This medium-severity flaw allows attackers to execute arbitrary commands on the affected devices. Once compromised, the malware displays a message stating nexuscorp has taken control, signaling successful infiltration.
Technical Characteristics of Nexcorium
The Nexcorium malware shares architectural similarities with the original Mirai variant, including:
– XOR-Encoded Configuration Table Initialization: This technique obfuscates the malware’s configuration data, making analysis more challenging.
– Watchdog Module: Ensures the malware remains active by monitoring and restarting its processes if necessary.
– DDoS Attack Module: Facilitates the execution of various DDoS attack vectors, such as UDP, TCP, and SMTP floods.
Additionally, Nexcorium incorporates an exploit for CVE-2017-17215 to target Huawei HG532 devices within the same network. It also employs a list of hard-coded usernames and passwords to perform brute-force attacks via Telnet connections. Upon successful login, the malware establishes persistence using crontab and systemd services, then connects to an external command-and-control server to await further instructions. To evade detection, it deletes the original binary after establishing persistence.
Broader Implications and Related Exploits
The emergence of Nexcorium highlights a broader trend of exploiting known vulnerabilities in IoT devices to build botnets capable of launching DDoS attacks. For instance, the Murdoc Botnet has been observed exploiting security flaws in AVTECH IP cameras and Huawei HG532 routers to expand its network. Similarly, the Aquabot botnet has targeted Mitel phones by leveraging CVE-2024-41710, a command injection vulnerability in the boot process, to deploy its payload.
These incidents underscore the critical need for manufacturers and users to prioritize IoT security. Devices often remain vulnerable due to unpatched software, default credentials, and end-of-life status, making them attractive targets for attackers.
Recommendations for Mitigation
To mitigate the risks associated with IoT-targeted botnets like Nexcorium, the following measures are recommended:
1. Regular Firmware Updates: Ensure all IoT devices are running the latest firmware versions to patch known vulnerabilities.
2. Change Default Credentials: Replace default usernames and passwords with strong, unique credentials to prevent unauthorized access.
3. Network Segmentation: Isolate IoT devices from critical network infrastructure to limit potential damage from compromised devices.
4. Monitor Network Traffic: Implement monitoring solutions to detect unusual network activity that may indicate a compromised device.
5. Disable Unnecessary Services: Turn off services like Telnet if they are not required, reducing potential attack vectors.
By adopting these practices, organizations and individuals can enhance the security posture of their IoT devices, reducing the likelihood of them being co-opted into malicious botnets.
