Cybersecurity researchers described a new botnet called Mirai_ptea which is a variant of the Mirai botnet, that uses an undisclosed vulnerability in video recording devices. Attackers garget the digital video recorders (DVR) by KGUARD to propagate and carry out distributed denial-of-service (DDoS) attacks.
Netlab 360 detected the first scanning of the flaw on March 23, 2021, and eventually it intercepted exploitation attempts by the botnet on June 22, 2021.
The Mirai botnet, which first emerged in 2016, has been tied to a series of large-scale distributed denial of service attacks. It tries to turn networked Linux devices into remotely controlled bots that can be used as part of a botnet in large-scale network attacks.
One such attack against DNS service provider Dyn in October 2016 rendered major internet platforms and services inaccessible to users in Europe and North America.
According to researchers, Mirai_ptea is a variant of the Mirai worm that was released in July 2016. It uses the same source code as its predecessors, but it has a different name.
Researchers did not disclose many details about the security flaw in order not to give threat actors a chance to develop exploits for future attacks.
The researchers, though, said they discovered that the KGUARD DVR firmware was vulnerable to remote execution of system commands since before 2017. The vulnerability can be exploited by anyone without authentication. About 3,000 devices are susceptible to vulnerability, according to their estimate.
The botnet uses Tor Proxy to communicate with the command-and-control (C2) server and extensive encryption of sensitive resource information needed to establish a connection with the C2 server and retrieve commands from attackers.
While infections were reported across Europe, Asia, Australia, North and South America, and parts of Africa, “The geographic distribution of bot source IPs is […] mainly concentrated in the United States, Korea and Brazil,” the researchers noted.