A critical security vulnerability in AVTECH IP cameras, identified as CVE-2024-7029, has been actively exploited by cybercriminals, turning affected devices into unwitting participants in a botnet. This high-severity flaw, which allows for remote code execution (RCE) through a command injection vulnerability in the camera’s brightness function, was initially exposed as a proof-of-concept exploit back in February 2019. Despite its long-standing presence, the vulnerability remained unpatched until recently, leaving numerous devices vulnerable to exploitation. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) highlighted the vulnerability in an alert published on August 1, 2024, emphasizing its low attack complexity and potential for significant damage.
The flaw impacts AVTECH IP camera models with firmware versions up to and including FullImg-1023-1007-1011-1009. Although these devices have been discontinued, they are still in use across various critical sectors including healthcare, financial services, and public infrastructure. The continued usage of these outdated devices underscores the pressing need for timely updates and patches to prevent such security breaches. The unpatched nature of this vulnerability has made it an attractive target for cybercriminals, who have used it to integrate compromised devices into a botnet for malicious purposes.
The exploitation of CVE-2024-7029 has been linked to a variant of the Mirai botnet, known as Corona. Cybercriminals have been utilizing this botnet to propagate malware by combining the AVTECH flaw with other known vulnerabilities, such as CVE-2014-8361 and CVE-2017-17215. The attack involves the botnet connecting to compromised devices through Telnet on various ports and deploying malware that identifies itself with the string ‘Corona.’ This sophisticated attack method allows cybercriminals to effectively leverage these compromised devices for further malicious activities, demonstrating the evolving and increasingly complex nature of cyber threats.
This development comes on the heels of other recent reports concerning sophisticated botnets, such as Quad7, which have been used for password-spraying attacks against Microsoft 365 accounts. The expansion of these botnets and their use of multiple vulnerabilities highlight the urgent need for organizations to enhance their cybersecurity practices. It is crucial for organizations using AVTECH or similar devices to take immediate action to patch vulnerabilities and secure their systems. Staying vigilant and proactive in cybersecurity efforts is essential to mitigating risks and protecting critical infrastructure from the growing threat landscape.
Reference:
