In a significant cybersecurity development, the notorious Mirai botnet has resurfaced, actively exploiting critical command injection vulnerabilities in discontinued GeoVision Internet of Things (IoT) devices. This campaign leverages two severe vulnerabilities—CVE-2024-6047 and CVE-2024-11120—that were initially disclosed in June and November 2024, respectively. Despite their identification, these vulnerabilities remained largely unexploited until recently, leaving numerous devices susceptible to attacks.
Understanding the Vulnerabilities
The vulnerabilities in question allow unauthenticated remote attackers to inject and execute arbitrary system commands on targeted devices. Specifically, the exploit targets the `/DateSetting.cgi` endpoint in GeoVision IoT devices, injecting malicious commands into the `szSrvlpAddr` parameter, which fails to properly sanitize user input. This oversight provides a gateway for malware propagation, enabling attackers to gain control over the affected devices.
Scope of the Threat
The impact of this exploitation is particularly concerning due to the widespread use of GeoVision devices in various sectors, including surveillance and security. Many of these devices have reached their end-of-life status and no longer receive security updates or patches. This situation exemplifies a persistent issue in the IoT industry, where older, unsupported devices remain operational in production environments, thereby expanding the attack surface for threat actors.
According to reports, approximately 17,000 GeoVision devices are exposed online and vulnerable to these exploits. The majority of these devices are located in the United States, with significant numbers also in Germany, Canada, Taiwan, Japan, Spain, and France. This widespread distribution amplifies the potential impact of coordinated attacks, as compromised devices can be leveraged for large-scale Distributed Denial-of-Service (DDoS) attacks or unauthorized cryptocurrency mining operations.
The Mirai Botnet and Its Evolution
The Mirai botnet, first discovered in 2016, is infamous for infecting IoT devices and using them to launch massive DDoS attacks. It continuously scans the internet for vulnerable IoT devices, exploiting default credentials to gain access. Once infected, devices become part of the botnet, often without the owner’s knowledge, and can be used to disrupt services or mine cryptocurrencies.
In this recent campaign, a variant of the Mirai botnet, identified as LZRD, has been observed targeting multiple vulnerabilities beyond just the GeoVision devices, including previously reported DigiEver vulnerabilities. The infection process begins when attackers send specifically crafted HTTP requests to vulnerable devices, exploiting the `/DateSetting.cgi` endpoint. The payload injects commands into the `szSrvlpAddr` parameter, leading to the download and execution of an ARM-based Mirai malware file named boatnet, a common nomenclature used in Mirai variants.
Indicators of Compromise
System administrators should be vigilant for signs of compromise, which may include:
– Excessive device heating
– Sluggish or unresponsive device performance
– Unexpected configuration changes
If any of these symptoms are observed, immediate action is crucial to mitigate potential damage.
Mitigation Strategies
Given the severity of the threat and the lack of available patches for end-of-life devices, the following mitigation strategies are recommended:
1. Device Replacement: Replace vulnerable devices with supported models that receive regular security updates.
2. Network Segmentation: Isolate vulnerable devices on a dedicated Local Area Network (LAN) or subnet to limit potential exposure.
3. Access Controls: Implement strict firewall rules to limit remote access to these devices.
4. Disable Unnecessary Features: Turn off remote access panels and disable any unnecessary or vulnerable features.
5. Regular Monitoring: Continuously monitor network traffic and device behavior for signs of compromise.
6. Change Default Credentials: Immediately change default usernames and passwords to strong, unique credentials.
Conclusion
The resurgence of the Mirai botnet exploiting GeoVision IoT device vulnerabilities underscores the critical importance of maintaining up-to-date security measures and promptly addressing known vulnerabilities. Organizations must assess their IoT device inventory, decommission unsupported hardware, and implement robust security practices to protect against such pervasive threats.
