A new variant of the Mirai botnet, known as Corona, is actively exploiting a five-year-old zero-day vulnerability in outdated AVTECH IP cameras. This critical security flaw, identified as CVE-2024-7029, poses a significant threat to organizations still using these discontinued devices, particularly in commercial, financial, healthcare, and transportation sectors.
Understanding the Vulnerability
CVE-2024-7029, discovered by Akamai researchers, received a high CVSS score of 8.7. The vulnerability affects the “Brightness” function in AVTECH AVM1203 IP cameras running firmware versions prior to Fullmg-1023-1007-1011-1009. It allows unauthenticated attackers to inject malicious commands through specially crafted requests, potentially leading to remote code execution (RCE).
Implications for Users
The affected AVTECH AVM1203 cameras have been out of production since 2019, with their support lifecycle ending in the same year. As a result, no patches are available or planned for this vulnerability, leaving users of these devices exposed to potential attacks.
CISA’s Warning
The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about CVE-2024-7029, noting that publicly available exploits already exist. This underscores the urgency for organizations to address the issue promptly.
Corona Botnet: A Deeper Look
Corona, a Mirai-based malware, has been active since at least 2020. It targets various IoT devices by exploiting known vulnerabilities. As of March 18, 2024, Corona has incorporated CVE-2024-7029 into its arsenal, specifically targeting vulnerable AVTECH AVM1203 IP cameras.
Attack Methodology
Akamai’s honeypots detected Corona’s attacks, which follow this pattern:
- Exploit CVE-2024-7029 to gain initial access
- Download and execute a malicious JavaScript file
- Use the JavaScript to deploy the main botnet payload
- Connect to command and control (C2) servers
- Await instructions for potential DDoS attacks
Broader Impact on IoT Security
Corona’s activities highlight the ongoing challenges in securing Internet of Things (IoT) devices. The botnet also exploits vulnerabilities in other IoT devices, demonstrating the widespread nature of the threat. This situation underscores the importance of regular security updates and the risks associated with using outdated, unsupported hardware.
Organizations and individuals using AVTECH AVM1203 IP cameras are strongly advised to disconnect these devices immediately and replace them with newer, supported models. This proactive approach is crucial in mitigating the risk of compromise and potential inclusion in botnet operations. As the IoT landscape continues to evolve, maintaining up-to-date and secure devices remains a critical aspect of overall cybersecurity strategy.
