Mirai Variant Exploits Zero-Day in DigiEver NVRs, Targets TP-Link and Teltonika Devices

2024-12-24

A new variant of the infamous Mirai botnet has emerged, actively exploiting a previously undocumented zero-day vulnerability in DigiEver DS-2105 Pro NVRs. This campaign, which began in October, also targets TP-Link routers and Teltonika RUT9XX routers, leveraging known vulnerabilities.

The DigiEver vulnerability, an unpatched remote code execution (RCE) flaw, allows attackers to gain control of the devices by injecting malicious commands. This is achieved by manipulating input parameters in HTTP requests, such as the ‘ntp’ field.

Similar to the original Mirai, the new variant employs sophisticated encryption techniques, including XOR and ChaCha20, to evade detection. It also exhibits versatility, targeting a wide range of device architectures, including x86, ARM, and MIPS.

This campaign highlights the ongoing threat posed by Mirai and its variants. By continuously evolving and targeting new vulnerabilities, these botnets remain a significant challenge for network security.

What Undercode Says:

This Mirai variant demonstrates several concerning trends in the botnet landscape.

Exploitation of Zero-Days: The targeting of an unpatched vulnerability in DigiEver NVRs underscores the importance of timely security updates and responsible disclosure practices. Vendors must proactively patch critical vulnerabilities to prevent exploitation by malicious actors.
Increased Sophistication: The use of advanced encryption techniques like ChaCha20 indicates a growing level of sophistication among botnet operators. This makes it more difficult to detect and analyze malicious traffic, hindering threat response efforts.
Diversification of Targets: By targeting a diverse range of devices, from network video recorders to routers, these botnets maximize their impact and increase their potential for disruption. This highlights the need for a comprehensive approach to IoT security, encompassing all connected devices within an organization.

Furthermore, the campaign underscores the critical role of vulnerability research and responsible disclosure. The initial discovery of the DigiEver vulnerability by researcher Ta-Lun Yen highlights the importance of sharing security research findings with vendors and the broader security community.

This incident serves as a stark reminder of the constant evolution of cyber threats. Organizations must implement robust security measures, including regular security assessments, vulnerability scanning, and intrusion detection systems, to protect their networks from these evolving threats.

Disclaimer: This analysis is based on the provided information and may not encompass all aspects of the campaign.