A new botnet has been identified by GreyNoise, a cybersecurity platform that collects and analyzes millions of data points from IP addresses that continuously scan the internet. The platform discovered that a network of compromised devices was seeking to expand by targeting TVT NVMS9000 DVRs, a digital video recorder used for video surveillance. Developed by TVT Digital, it centralizes the monitoring of multiple security cameras. from a computer by storing and managing videos.
A critical security flaw exploited
To gain control of the recorders, cybercriminals are using a critical security flaw, discovered by SSD Secure Disclosure, a company specializing in finding security flaws last year. This "provides unauthenticated remote attackers with a wide range of information about the device, including - but not limited to - credentials (usernames and passwords) and network configuration,” the Israeli company says. With this data, it is obviously easy to take control of a device. Hackers gain full access to run commands as if they were administrators. GreyNoise says it has seen “a significant spike – 3 times that of typical activity – in exploitation attempts” against the recorders. On April 3, the number of attacks exploded. with more than 2,500 IP addresses involved in the takeover attempts. Last month, 6,600 different IP addresses were detected by GreyNoise.
A botnet similar to Mirai
The botnet is based on the source code of Mirai, a formidable malware that appeared almost a decade ago. The virus mainly targets connected objects, such as cameras, routers, or other smart objects, taking advantage of default identifiers or passwords that are too weak to hack them. The number of Mirai-based botnets exploded when the virus's source code was made available to all Internet users. A variant of Mirai is notably behind the most powerful DDoS attack ever seen, thwarted by Cloudflare.
Once it has taken control of the recorders, the botnet will use them to carry out malicious operations, such as DDoS attacks. Cybercriminals also use the compromised network under their control to mine cryptocurrencies without the owners' knowledge. Most cyberattacks originate from Taiwan, Japan, and South Korea. They mainly target devices located in the United States, the United Kingdom, and Germany.
To block cyberattacks, SSD Secure Disclosure recommends all users to install version 1.3.4 of their recorder firmware or later. As always, botnets thrive on devices that lack recent security updates. That's why it's essential to keep all your devices up to date. If one of your devices is outdated and not eligible for patches, it's time to consider replacing it.
Source: Greynoise
0 Comments