An unpatched vulnerability found in CCTV cameras commonly used in critical infrastructure is being actively exploited to spread a Mirai variant malware, Akamai researchers have warned.
The command injection vulnerability, CVE-2024-7029, is found in the brightness function of AVTECH CCTV cameras that allows for remote code execution (RCE).
The vulnerability was highlighted in a Cybersecurity and Infrastructure Security Agency (CISA) industrial control system (ICS) advisory in August 2024, which cited its lack of attack complexity, remote exploitation and known public exploitation.
Read now: CISA Urges Software Makers to Eliminate OS Command Injection Vulnerabilities
AVTECH IP camera devices are used worldwide, including by transportation and other critical infrastructure organizations.
The flaw has a CVSS score 8.7, carrying a ‘High’ rating. The proof-of-concept (CoP) for CVE-2024-7029 has been publicly available since at least 2019, but was not given a CVE assignment until August 2024.
There is currently no patch available.
How Attackers Exploit the CCTV Vulnerability
A botnet campaign spreading the Corona Mirai malware variant has been observed by Akamai to be exploiting CVE-2024-7029. The first observed active campaign began on March 18, 2024, but analysis shows that activity has taken place as early as December 2023.
Once injected the botnet spreads a Mirai variant with string names that reference the COVID-19 virus, this has been observed since at least 2020.
The vulnerability can be executed remotely with elevated privileges.
In the highlighted campaign, the threat actors exploited the command injection vulnerability to download and run a JavaScript file to fetch and load the Mirai malware payload.
Upon execution, the malware connects to a large number of hosts through Telnet on ports 23, 2323, and 37215. It also prints the string “Corona” to the console on an infected host.
Akamai’s Security Intelligence and Response Team (SIRT) said it observed the campaign targeting several other zero-day vulnerabilities that remain unpatched, including a Hadoop YARN RCE (CVE-2014-8361) and Huawei devices affected by CVE-2017-17215.
The campaign demonstrates the “troubling” attacker trend of using older, likely low-priority, vulnerabilities that remain unpatched to fulfill a malicious purpose, the researchers noted.
“Malicious actors who operate these botnets have been using new or under-the-radar vulnerabilities to proliferate malware. CVE-2024-7029 is another example of using the latter, which is becoming an increasingly popular attack trend observed by the SIRT,” they wrote.
For vulnerabilities where there is no available patch and no other way of remediating the issue, the researchers advised organizations to decommission the impacted hardware and software.