Mirai variant Nexcorium hits DVRs

A botnet called Nexcorium is hijacking internet-connected video recorders and aging routers, turning surveillance gear into machines for denial-of-service attacks. (fortinet.com) Fortinet’s FortiGuard Labs said on April 17 that attackers are exploiting CVE-2024-3721, a critical command-injection flaw in TBK DVR devices, to install a multi-architecture Mirai variant named Nexcorium. Fortinet had already logged more than 60,000 detection events tied to exploitation of that TBK flaw in its earlier outbreak alert. (fortinet.com) (fortiguard.fortinet.com) A digital video recorder, or DVR, is the box that stores footage from security cameras; a botnet is a crowd of hacked devices that can all be ordered to flood a target with traffic at once. Fortinet said the TBK bug lets an unauthenticated attacker send a crafted web request that runs commands on the recorder remotely. (nvd.nist.gov) (fortiguard.fortinet.com) Fortinet said the malware does not stop with one device. After landing on a TBK recorder, Nexcorium scans for more targets, brute-forces Telnet logins, and tries older router and camera exploits to pull additional devices into the same network of bots. (fortinet.com) That is the Mirai playbook: compromise cheap Linux-based gear, keep the code small enough to run on many processor types, and use the resulting swarm for distributed denial-of-service, or DDoS, attacks. Mirai has kept resurfacing since its source code was released publicly in late 2016. (fortinet.com) (krebsonsecurity.com) The TP-Link angle comes from another long-abused bug, CVE-2023-1389, in Archer AX21 routers. TP-Link said in April 2023 that Mirai operators had added that remote-code-execution flaw to their arsenal and urged customers to install updated firmware. (tp-link.com) (nvd.nist.gov) Unit 42 at Palo Alto Networks has documented the same broader pattern before: Mirai operators chain together multiple known Internet of Things flaws because old routers, cameras, and security appliances stay exposed online long after patches exist. In its 2023 report, Unit 42 said attackers were already using a long list of IoT vulnerabilities to spread Mirai variants across device families. (unit42.paloaltonetworks.com) The immediate risk is not only traffic attacks against outside victims. A hijacked recorder can also become a blind spot inside a small business, because the same box that stores camera footage is now running attacker code. (fortinet.com) Fortinet’s remediation advice is blunt: disconnect exposed TBK DVR-4104 and DVR-4216 units from the internet, apply firmware if one exists, and replace hardware that no longer receives fixes. Nexcorium’s spread depends on devices that stay online after their support life is effectively over. (community.fortinet.com) (filestore.fortinet.com)