Recommended reading

Watch out - your DVR box could be targeted by one of the nastiest botnets around

News
By published

Mirai operators are hunting for new devices, experts warn

Abstract image of robots working in an office environment including creating blueprint of robot arm, making a phone call, and typing on a keyboard
(Image credit: Getty Images)
  • Kaspersky warns multiple DVR devices are being targeted with malware
  • The malware assimilates the devices into a botnet, granting DDoS and proxy capabilities
  • The victims are scattered all over the world, and there seems to be no patch

If you are using TBK DVR-4104, DVR-4216, or any digital video recording device that uses these instances as its basis, you might want to keep an eye on your hardware because it’s being actively hunted.

Cybersecurity researchers at Kaspersky claim to have seen a year-old vulnerability in these devices being abused to expand the dreaded Mirai botnet.

In April 2024, security researchers found a command injection flaw in the devices listed above. As per the NVD, the flaw is tracked as CVE-2024-3721, and was given a severity score of 6.3/10 (medium). It can be triggered remotely and grants the attackers full control over the vulnerable endpoint. Soon after discovery, the flaw also got a Proof-of-Concept (PoC) exploit.

Victims around the world

Now, a year later, Kaspersky says it saw this same PoC being used to expand the Mirai botnet. The attackers are using the bug to drop an ARM32 malware which assimilates the device and grants the owners the ability to run distributed denial of service (DDoS) attacks, proxy malicious traffic, and more.

The majority of victims Kaspersky is seeing are located in China, India, Egypt, Ukraine, Russia, Turkey, and Brazil. However as a Russian company, Kaspersky’s products are banned in many Western countries, so its analysis could be somewhat skewed.

The number of potentially vulnerable devices was more than 110,000 in 2024, and has since dropped to around 50,000. While most definitely an improvement, it still means that the attack surface is rather large.

Usually, when a vulnerability like this is discovered, a patch soon follows. However, multiple media sources are claiming that it is “unclear” if makers TBK Vision patched the bug.

CyberInsider reports that multiple third-party brands use these devices as a basis for their models, further complicating patch availability, and stating that “it’s very likely that for most, there is no patch.”

Some of the brands are Novo, CeNova, QSee, Pulnix, XVR 5 in 1, Securus, Night OWL, DVR Login, and others.

Via BleepingComputer

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.