IoT Botnet Campaign Exploiting Command Injection Vulnerabilities
TL;DR: Researchers from FortiGuard Labs have identified an active botnet campaign dubbed Nexcorium, utilizing two command injection vulnerabilities to enlist IoT devices for DDoS attacks. The campaign exploits specific entry points in TBK DVR devices and Huawei routers, presenting a significant risk to users of these products.
The Nexcorium campaign leverages two known command injection vulnerabilities, specifically targeting TBK DVR devices and Huawei HG532 routers. The primary entry point is through CVE-2024-3721, an OS command-injection flaw found in TBK DVRs. Once compromised, the malware employs a secondary exploit (CVE-2017-17215) to expand its reach across local networks, facilitating the creation of a robust DDoS botnet capable of launching large-scale attacks.
The attack methodology is automated and does not rely on human interaction. The initial exploitation occurs by sending a carefully crafted POST request to the vulnerable API of a TBK DVR, executing shell commands without any authentication barriers. Following this, the malware downloads and executes its payloads, which it customizes based on the device architecture. The persistence mechanisms implemented are extensive, utilizing inittab, rc.local, systemd, and crontab to ensure that the malware remains operational even after system reboots. Notably, the original malware binary is deleted post-execution to hinder forensic investigations.
Defensive Context
Organizations using affected IoT devices, particularly those with TBK DVRs and Huawei HG532 routers, are at risk from the Nexcorium campaign. This botnet primarily targets unpatched devices exposed to the internet, making it crucial for users of these products to implement network segmentation or employ firewall protections to minimize exposure.
Why This Matters
The risk from this campaign is substantial due to the widespread use of unpatched IoT devices, which are often left vulnerable and accessible. The potential for a large-scale DDoS attack can severely impact the availability of critical services, particularly for organizations unaware of the vulnerabilities present in their devices.
Defender Considerations
Defenders should focus on identifying and mitigating the presence of CVE-2024-3721 and CVE-2017-17215 in their environments. For TBK DVR devices, immediate segregation from public networks is advisable if no patches exist, as well as monitoring for suspicious outbound connections linked to the identified command-and-control infrastructure. For Huawei routers, applying the available patches or reconfiguring network settings to disable UPnP could prevent exploitation.
Indicators of Compromise (IOCs)
- IP Addresses: 84.200.87.36, 176.65.148.186
- Domain (C2): r3brqw3d.b0ats.top
- HTTP Header: X-Hacked-By: Nexus Team – Exploited By Erratic
- Filename Pattern: nexuscorp.* (e.g., nexuscorp.arm, nexuscorp.mips, nexuscorp.x86)
- Downloader Script: dvr
- Exploit Endpoint: POST /device.rsp?opt=sys&cmd=_S_O_S_T_R_E_AMAX
The outlined infrastructure and payload characteristics point to a well-structured botnet operation focused on broad-scale exploitation of vulnerable IoT devices.
