<ul><li>The article discusses the exploitation of CVE-2024-3721 to deploy a Mirai bot on vulnerable DVR devices.</li><li>CVE-2024-3721 enables execution of system commands on TBK DVRs via a specific POST request.</li><li>The malicious POST request contains a shell script to download and execute an ARM32 binary.</li><li>The Mirai bot variant targeting DVR devices includes features like RC4 encryption and anti-VM checks.</li><li>RC4 key decryption is used to decrypt strings within the malware implant.</li><li>The implant conducts checks to detect if it is running within a virtual machine environment.</li><li>Infection statistics reveal that many infected DVR devices are located in countries like China, India, Egypt, and Ukraine.</li><li>Over 50,000 vulnerable DVR devices have been identified online, indicating a significant attack surface.</li><li>To mitigate such threats, updating vulnerable devices promptly and conducting factory resets for exposed devices is recommended.</li><li>Kaspersky products detect the threat as HEUR:Backdoor.Linux.Mirai and HEUR:Backdoor.Linux.Gafgyt.</li></ul>

Analysis of the latest Mirai wave exploiting TBK DVR devices with CVE-2024-3721

Discover more