The RCE vulnerability CVE-2024-7029 in AVTECH IP camera devices allows attackers to remotely execute commands with elevated privileges, which can be used to spread a Mirai variant on the target system. CISA issued an ICS advisory for this vulnerability due to its lack of attack complexity and known public exploitation.
The botnet campaign exploits a variety of vulnerabilities, including AVTECH vulnerabilities, a Hadoop YARN RCE, and older vulnerabilities like CVE-2014-8361 and CVE-2017-17215, which highlights the attackers’ tendency to leverage unpatched vulnerabilities, even if they are considered low-priority, to achieve their malicious goals.
While the lack of CVE assignments for many recent vulnerabilities with RCE elements makes it challenging to track and patch them, which poses a significant security risk, especially considering the potential for remote code execution.
CVE-2024-7029 is a critical vulnerability in AVTECH IP cameras that allows attackers to execute arbitrary commands on the device by manipulating the “brightness” parameter in the “action=” URL parameter that was exploited by threat actors to spread a Mirai variant, a malicious IoT botnet with names related to the COVID-19 virus.
The exploit for CVE-2024-7029 has been publicly available since at least 2019, but it wasn’t assigned a CVE until August 2024. Active campaigns using this exploit have been observed since December 2023, with the first major campaign starting in March 2024.
It could potentially compromise the security of critical infrastructure entities worldwide, as these devices are still in use despite being discontinued. The affected devices are specifically those running AVM1203 firmware versions FullImg-1023-1007-1011-1009.
The exploit leverages a vulnerability in the brightness function within the /cgi-bin/supervisor/Factory.cgi file. By manipulating the brightness parameter in the URL, attackers can execute arbitrary commands on the vulnerable system, which due to improper input validation and sanitization within the brightness function, allows attackers to inject malicious code and gain unauthorized access.
The threat actor exploited a vulnerability to execute remote code on a target system and then downloaded and ran a JavaScript file that fetched and loaded a Mirai malware variant, specifically the Corona Mirai variant.
This malware connected to numerous hosts through Telnet on specific ports and displayed the string “Corona” on the infected host.
Malware targets Huawei devices with the CVE-2017-17215 exploit, sending a POST request to /ctrlt/DeviceUpgrade_1, which injects malicious commands using XML to download and execute a script from a command and control server.
The Akamai SIRT has identified a new attack trend involving the exploitation of unpatched vulnerabilities without formal CVE assignments, which, often overlooked due to the lack of a CVE, pose significant security risks.
Malicious actors are leveraging these vulnerabilities to proliferate malware and compromise systems. To mitigate risks, organizations are advised to prioritize patching known vulnerabilities, decommission outdated hardware and software, and stay informed about emerging threats.