Old DVRs and Routers Fueling New Mirai Botnet Attacks

Many homes have older electronics, like security camera DVRs or Wi-Fi routers, that are often forgotten once set up. These seemingly harmless devices, if outdated and unpatched, are now prime targets for cybercriminals. This oversight can turn your home tech into a weapon for large-scale cyberattacks, impacting internet stability for everyone and potentially degrading your own network performance.

The Quick Take

• A new Mirai botnet variant, identified as Nexcorium, is actively being deployed.
• It primarily targets TBK DVR systems by exploiting a known vulnerability (CVE-2024-3721).
• End-of-life (EoL) TP-Link Wi-Fi routers are also being compromised due to lack of security updates.
• The goal is to build a large Distributed Denial-of-Service (DDoS) botnet.
• These findings come from cybersecurity research by Fortinet FortiGuard Labs and Palo Alto Networks Unit 42.

What's Happening

Cybersecurity researchers from Fortinet FortiGuard Labs and Palo Alto Networks Unit 42 have identified a concerning new variant of the notorious Mirai botnet, which they've dubbed "Nexcorium." This sophisticated threat is actively exploiting known security vulnerabilities in specific hardware, turning everyday internet-connected devices into components of a massive distributed denial-of-service (DDoS) attack network.

The primary targets for the Nexcorium botnet include TBK DVR systems, which are being compromised through an unpatched security flaw, specifically CVE-2024-3721. This vulnerability allows attackers to gain unauthorized access and control over the devices. In addition to DVRs, the Nexcorium botnet is preying on end-of-life (EoL) TP-Link Wi-Fi routers. These routers, no longer receiving security updates from the manufacturer, present easy targets for exploitation due to their known, unpatched weaknesses. Once infected, these devices become part of a larger network controlled by threat actors, ready to launch disruptive attacks against online services and websites globally.

Why It Matters

This development is a stark reminder that cybersecurity isn't just about protecting your computer or smartphone; it extends to every internet-connected device in your home. Many people install a home security camera system or a Wi-Fi router and rarely think about updating its software or even its security status over time. This "set it and forget it" mentality is exactly what threats like Nexcorium exploit, turning your personal devices into unwitting participants in cybercrime.

For the everyday user, this means two critical things. First, your internet connection and device performance could be subtly degraded if your devices are compromised, as they'll be busy sending attack traffic as part of the botnet. This can lead to slower browsing, intermittent connectivity, or even an increase in your internet bill if you have data caps. Second, and more broadly, these botnets contribute to a less stable and secure internet environment for everyone. When a botnet launches a DDoS attack, it can take down popular websites, online services, and even parts of the internet infrastructure, disrupting commerce, communication, and essential services for millions.

The targeting of end-of-life devices is particularly insidious. Manufacturers eventually stop supporting older products, meaning no new security patches are issued, leaving them permanently vulnerable to newly discovered or previously unpatched flaws. This highlights the importance of understanding the lifecycle of your technology and proactively replacing or securely decommissioning devices that are no longer supported. Ignoring these older gadgets is no longer an option in today's increasingly connected and threatened digital landscape.

What You Can Do

• Identify and Update Devices: Check if you own any TBK DVR systems or older TP-Link routers. Immediately visit the manufacturer's website for your specific model and check for available firmware updates. Apply any updates promptly.
• Replace End-of-Life (EoL) Hardware: If your devices, especially routers, modems, or IoT gadgets, are designated as EoL by the manufacturer and no longer receive security updates, consider replacing them with newer, actively supported models to ensure ongoing protection.
• Isolate IoT Devices: Create a separate "guest" or IoT network on your router, if supported, to isolate smart devices from your main home network. This limits potential damage and prevents lateral movement if one device is compromised.
• Change Default Passwords: Ensure all your IoT devices, including DVRs, routers, and smart home gadgets, use strong, unique passwords that are not the default manufacturer settings. Never use simple or common passwords.
• Enable Automatic Updates: Where possible, enable automatic firmware or software updates for your internet-connected devices to ensure they receive crucial security patches as soon as they become available.
• Unplug Unused Devices: If you have old DVRs, routers, smart hubs, or other internet-connected gadgets that you no longer use, unplug them from power and the internet to eliminate them as potential attack vectors entirely.

Common Questions

Q: What is a Mirai botnet?

A: A Mirai botnet is a network of internet-connected devices (like smart cameras, routers, or DVRs) that have been infected with malicious software, allowing cybercriminals to control them to launch large-scale cyberattacks, such as disrupting websites with floods of traffic (DDoS attacks).

Q: How do I know if my device is "end-of-life" (EoL)?

A: You can usually find this information on the manufacturer's official support website by searching for your specific device model. They often have dedicated sections or lists indicating product support status and end-of-life dates. If your device is EoL, it means it no longer receives security updates.

Q: Can a compromised device affect my personal data?

A: While a botnet like Mirai primarily uses your device's internet connection for attacks, a compromised device could potentially be a gateway for further breaches into your home network. It's best to treat any infected device as a security risk and take immediate action to secure or remove it, even if personal data isn't the primary target.

Sources

Based on content from The Hacker News.