Hack Reports - Latest Cybersecurity News, Trends & Updates

New botnet exploits vulnerabilities in NVRs, TP-Link routers

Geetansh -

Latest News on NVR Vulnerabilities Exploitation 2024

CVE-2024-41883:

  • Vulnerability Description: A remote code execution vulnerability has been discovered in the NVR (Network Video Recorder) product XRN-420S by Hanwha Vision Co., Ltd. The flaw allows an attacker to enter a special value for a specific field, leading to a NULL pointer dereference, which can result in remote code execution1.
  • Affected Versions: The vulnerability affects versions 5.01.62 and prior.
  • Patch Availability: A patch for the firmware is available to mitigate this issue1.

Androxgh0st Botnet:

  • Rise from Mozi: The Androxgh0st botnet has emerged from the ashes of the Mozi botnet. It has quickly become a significant threat to critical infrastructure, particularly targeting TP-Link routers2.
  • Exploitation Chain: The botnet uses payloads from the Mozi exploitation chain, targeting various devices including TP-Link routers. This hybrid botnet is suspected to be operated by Chinese threat actors driven by interests similar to those of the Chinese state2.
  • Global Prevalence: Check Point has rated Androxgh0st as the most prevalent malware globally, affecting 5% of organizations worldwide in November. The botnet exploits vulnerabilities in dozens of technologies, including VPNs, firewalls, routers, and web applications2.
  • IoT Focus: The integration of Mozi's capabilities within Androxgh0st has significantly expanded its reach, targeting IoT devices and creating cascading effects across industries. The botnet is expected to exploit at least 75% to 100% more web application vulnerabilities by mid-20252.

New Botnet Security Threats

Androxgh0st's Capabilities:

  • Mass Exploitations: The integration of Mozi's capabilities within Androxgh0st means that there will be an uptick in mass exploitations. The botnet is already exploiting vulnerabilities in various technologies, including Cisco ASA, Atlassian JIRA, Sophos Firewalls, Spring Cloud Gateways, PHP frameworks, and several IoT devices2.
  • Targeting Specific Devices: The botnet's ability to target any router, camera, and other IoT devices that are extremely unprotected makes it a significant threat. By August, CloudSEK started seeing the malware operators deploying IoT-focused Mozi payloads, leading to increased infection rates2.

Additional Security Threats

Other Notable Threats:

  • Apache Struts Vulnerability: Researchers warn that threat actors are attempting to exploit a recently disclosed Apache Struts vulnerability, CVE-2024-536773.
  • CyberPanel Flaw: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the CyberPanel flaw, CVE-2024-51378, to its Known Exploited Vulnerabilities catalog. This flaw allows remote attackers to bypass authentication and execute arbitrary code3.
  • Mirai Botnet: Juniper Networks has warned of malicious campaigns targeting Session Smart Router (SSR) products with default passwords, resulting in the deployment of Mirai botnet malware. This botnet is used for distributed denial-of-service (DDoS) attacks5.

These updates highlight the ongoing and evolving nature of cybersecurity threats, emphasizing the need for continuous vigilance and prompt application of security updates to mitigate these risks.