Discarded IP cameras are being used to spread the new Mirai botnet • The Register

short A number of IP cameras that are still in use around the world, although they have long since passed their end of life, have been abused to build a new Mirai botnet.

The vulnerability (CVSS 8.7, CVE-2024-7029) was reported to CISA by security researchers at Akamai, who said that the campaign they discovered exploiting the Remote Code Execution (RCE) vulnerability in the AVTECH AVM1203 IP cameras they found has been active since early 2024, but the vulnerability is much older.

“The proof of concept (PoC) for CVE-2024-7029 has been publicly available since at least 2019, but never had a proper CVE assignment until August 2024,” wrote Akamai threat researchers Aline Eliovich, Kyle Lefton and Larry Cashdollar.

Support for AVTECH AVM1203 cameras also ended in 2019 and it doesn't seem like the manufacturer plans to release a patch.

The exploit does not require user authentication and allows an attacker to exploit a flaw in the camera's “brightness” argument in the “action=” parameter to inject commands with the same privileges as the device's owner.

“Although production of the model in question has been discontinued for several years, these devices are still in use around the world, including by transportation authorities and other critical infrastructure facilities,” Akamai notes.

Several other old and known vulnerabilities are being exploited to spread the Mirai variant, which Akamai says appears to be the same COVID-19 version that has been circulating since 2020.

Other vulnerabilities exploited to spread the botnet include a Hadoop YARN RCE, a 10-year-old CVSS 9.8 vulnerability in the Realtek SDK (CVE-2014-8361), and a well-documented bug in Huawei HG532 routers (CVE-2017-17215).

Since other vulnerabilities exist in outdated software and hardware, you should consider this whole story a reminder not to leave out-of-service devices and outdated software on your networks.

Add another half a million to those MOVEit numbers

It's been a while since we've had to report on a new MOVEit victim – and yet here we are.

Texas Dow Employees Credit Union filed a data breach notification in Maine last week, revealing that the data of 500,474 customers was exposed when MOVEit was compromised in May 2023.

TDECU said it took immediate action to contain the problem after being notified, although it appears the matter was not discovered until late July 2024.

Unlike other victims of the MOVEit data breach, TDECU's internal systems were not compromised. However, that does not change the fact that valuable data was stolen, including names, dates of birth, social security numbers, government ID numbers, bank account information, and other sensitive personal information.

With nearly 80 million people affected by the MOVEit breach and more victims still to come forward, the final number is unclear.

US intelligence offers $2.5 million bounty for Belarusian hacker

A few weeks after the arrest of a notorious Belarusian-Ukrainian hacker, the US government has offered a large reward for information leading to the capture of one of his close associates.

The US secret service has offered a reward of up to $2.5 million for Volodymyr Kadaria, one of two accomplices of the recently arrested Maksim Silnikau who were charged along with him.

In the Kadariya case, he is accused – like Silnikau – of running a malvertising ring for over ten years that distributed the infamous Angler Exploit Kit. He is also accused of crimes such as wire fraud and conspiracy to commit wire fraud.

While Silnikau was caught, neither Kadariya nor the pair's other alleged co-conspirator, Russian citizen Andrei Tarasov, have been arrested. If they are ever caught, they could face decades in prison – the same thing Silnikau now faces alone.

Backpage owner convicted

Three other leaders of the notorious website Backpage, which was considered a haven for the sex trafficking of minors in the United States until it was shut down in 2018, have just been sentenced to prison.

Michael Lacey, Scott Spear and John “Jed” Brunst, who were identified by the Justice Department as the owners of the website, were each sentenced to three years' probation after serving 10 years in prison; Lacey only had to spend five years behind bars, according to the DOJ.

Backpage CEO Carl Ferrer pleaded guilty to promoting prostitution and engaging in money laundering shortly after the site was seized; the site's sales and marketing director, Dan Hyer, also pleaded guilty to similar charges. James Larkin, another defendant in the case, died before the trial began, the Justice Department notes.

Backpage has generated more than $500 million in its eight years of existence as a website against illegal prostitution and human trafficking.

CISA launches incident reporting portal

To simplify the often tedious process of reporting cyber incidents, CISA has launched a new Services Portal website where organizations can report incidents, share reports with third parties, and chat with CISA staff.

In addition to logging in with a login.gov account, reports can also be submitted anonymously through the same site.

“Any organization affected by a cyberattack or incident should report it – for their own benefit and to help the broader public,” said Jeff Greene, deputy director for cybersecurity at CISA. “CISA and our government partners have unique resources and tools to help with response and recovery, but we can't help if we don't know about an incident.”

The portal will not be available for just over a year, before CISA issues mandatory reporting rules under the Cyber ​​Incident Reporting for Critical Infrastructure Act (CIRCIA), which will take effect in 2022.

Once the rule takes effect – President Biden has given CISA a deadline of October 2025 to complete it – serious cybersecurity incidents at critical infrastructure organizations must be reported to CISA within 72 hours.

Consider this your opportunity to get some practice. ®