Hackers have been actively exploiting a critical vulnerability in AVM1203 security cameras, manufactured by Taiwan-based company AVTECH, to spread the Mirai malware. Mirai is notorious for hijacking Internet of Things (IoT) devices, transforming them into botnets capable of launching powerful distributed denial-of-service (DDoS) attacks.
The vulnerability, identified as CVE-2024-7029, is a zero-day flaw that allows attackers to execute malicious code on these devices. The issue has been present for five years, but no patch is available since the AVM1203 is no longer supported by its manufacturer.
Since March, attackers have been taking advantage of this unpatched flaw to deploy a variant of the Mirai malware. Mirai first gained widespread attention in 2016 when it was used to bring down major websites, including Krebs on Security, by leveraging a botnet of compromised IoT devices.
The malware’s source code was later made public, enabling others to create their own botnets and launch DDoS attacks. The continued exploitation of this vulnerability underscores the enduring threat posed by IoT devices that are no longer maintained by their manufacturers.
The primary objective of the current attacks appears to be expanding the Mirai botnet for DDoS purposes. According to Kyle Lefton from Akamai’s Security Intelligence and Response Team, the attackers have been observed launching DDoS attacks against various unnamed organizations.
However, there is no evidence to suggest that the attackers are using the compromised cameras for anything beyond these attacks, such as spying on video feeds.
Akamai has been monitoring this malicious activity using a “honeypot” of devices designed to mimic the vulnerable cameras. This method has allowed the security team to capture the code used by the attackers, although it does not provide a clear picture of the total number of infected devices.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently issued an alert about the vulnerability, highlighting its potential to cause widespread disruption.
The vulnerability itself was first exposed in 2019 when exploit code became publicly available, but it was only recently recognized with the official designation of CVE-2024-7029. The flaw is located in the “brightness argument in the ‘action=’ parameter,” allowing attackers to inject commands into the system. This discovery, made by Akamai researcher Aline Eliovich, has brought renewed attention to the risks posed by outdated IoT devices that remain vulnerable to exploitation.