A new variant of the infamous Mirai botnet, known as Nexcorium, has been identified, focusing on the exploitation of internet-connected video recording devices. This development is a significant concern in the cybersecurity community.
Exploitation of DVR Systems
Recent research from Fortinet’s FortiGuard Labs reveals that cybercriminals are utilizing a known vulnerability to compromise TBK DVR systems, forming a robust Distributed Denial-of-Service (DDoS) botnet. The specific devices targeted are TBK DVR-4104 and DVR-4216 models, which are vulnerable due to CVE-2024-3721, an operating system command injection flaw.
The attack involves manipulating device arguments to deploy a downloader script. The network traffic analysis shows a unique HTTP header, “X-Hacked-By: Nexus Team – Exploited By Erratic,” which has led researchers to attribute the attack to the so-called “Nexus Team” threat group.
Technical Aspects and Mechanisms
Fortinet’s investigation into Nexcorium’s structure highlights its similarities to traditional Mirai variants, particularly its use of XOR-encoded configurations and modular design. Key mechanisms include a modular architecture with a watchdog, scanning, and attack modules for DDoS operations.
The botnet expands its reach by incorporating an older vulnerability, CVE-2017-17215, targeting Huawei routers, and executing Telnet-based brute-force attacks using known default credentials. For self-preservation, Nexcorium employs FNV-1a hashing to verify its integrity, duplicating itself under a new name if tampered with.
Persistence and Attack Strategies
To ensure continued access to infected systems, Nexcorium uses multiple persistence strategies. It modifies system files like /etc/inittab and /etc/rc.local, creates a systemd service, and sets scheduled tasks via crontab.
Once established, the botnet deletes its original binary to avoid detection. Its primary goal is to execute powerful DDoS attacks, utilizing a wide range of methods such as UDP, TCP, SMTP floods, and more advanced techniques like VSE query floods.
Implications and Recommendations
The emergence of Nexcorium underscores the ongoing threat posed by outdated IoT devices. Cybersecurity experts recommend immediate patching of CVE-2024-3721, changing default credentials, and employing network segmentation to protect against these vulnerabilities.
Stay updated by following us on Google News, LinkedIn, and X for more cybersecurity insights. Reach out to us to share your stories.
