Emerging Nexcorium Botnet Exploits DVR Vulnerability

Emerging Nexcorium Botnet Exploits DVR Vulnerability

Posted on By CWS

A new variant of the infamous Mirai botnet, known as Nexcorium, has been identified, focusing on the exploitation of internet-connected video recording devices. This development is a significant concern in the cybersecurity community.

Exploitation of DVR Systems

Recent research from Fortinet’s FortiGuard Labs reveals that cybercriminals are utilizing a known vulnerability to compromise TBK DVR systems, forming a robust Distributed Denial-of-Service (DDoS) botnet. The specific devices targeted are TBK DVR-4104 and DVR-4216 models, which are vulnerable due to CVE-2024-3721, an operating system command injection flaw.

The attack involves manipulating device arguments to deploy a downloader script. The network traffic analysis shows a unique HTTP header, “X-Hacked-By: Nexus Team – Exploited By Erratic,” which has led researchers to attribute the attack to the so-called “Nexus Team” threat group.

Technical Aspects and Mechanisms

Fortinet’s investigation into Nexcorium’s structure highlights its similarities to traditional Mirai variants, particularly its use of XOR-encoded configurations and modular design. Key mechanisms include a modular architecture with a watchdog, scanning, and attack modules for DDoS operations.

The botnet expands its reach by incorporating an older vulnerability, CVE-2017-17215, targeting Huawei routers, and executing Telnet-based brute-force attacks using known default credentials. For self-preservation, Nexcorium employs FNV-1a hashing to verify its integrity, duplicating itself under a new name if tampered with.

Persistence and Attack Strategies

To ensure continued access to infected systems, Nexcorium uses multiple persistence strategies. It modifies system files like /etc/inittab and /etc/rc.local, creates a systemd service, and sets scheduled tasks via crontab.

Once established, the botnet deletes its original binary to avoid detection. Its primary goal is to execute powerful DDoS attacks, utilizing a wide range of methods such as UDP, TCP, SMTP floods, and more advanced techniques like VSE query floods.

Implications and Recommendations

The emergence of Nexcorium underscores the ongoing threat posed by outdated IoT devices. Cybersecurity experts recommend immediate patching of CVE-2024-3721, changing default credentials, and employing network segmentation to protect against these vulnerabilities.

Stay updated by following us on Google News, LinkedIn, and X for more cybersecurity insights. Reach out to us to share your stories.

Cyber Security News Tags:, , , , , , , , ,

Related Posts

Chrome Emergency Update to Patch Multiple Vulnerabilities that Enable Remote Code Execution Chrome Emergency Update to Patch Multiple Vulnerabilities that Enable Remote Code Execution Cyber Security News
Critical Fortinet Vulnerability Exploited, CISA Issues Warning Critical Fortinet Vulnerability Exploited, CISA Issues Warning Cyber Security News
WhatsApp Vulnerabilities Leaks User’s Metadata Including Device’s Operating System WhatsApp Vulnerabilities Leaks User’s Metadata Including Device’s Operating System Cyber Security News
Don’t Click ‘Unsubscribe’ Links Blindly It May Leads to Loss of Credentials Don’t Click ‘Unsubscribe’ Links Blindly It May Leads to Loss of Credentials Cyber Security News
Google Vulnerability Let Attackers Access Any Google User Phone Number Google Vulnerability Let Attackers Access Any Google User Phone Number Cyber Security News
AI-powered Email Attack Tool Used By Hackers To Launch Massive Phishing Attack AI-powered Email Attack Tool Used By Hackers To Launch Massive Phishing Attack Cyber Security News