Corona Malware Botnet Exploits Five-Year-Old Zero-Day in Discontinued AVTECH IP Cameras

August 29, 2024

The Corona Mirai-based malware botnet is actively exploiting a five-year-old remote code execution (RCE) zero-day vulnerability in discontinued AVTECH IP cameras, according to security researcher Aline Eliovich from Akamai. The vulnerability, known as CVE-2024-7029, is a high-severity issue (CVSS v4 score: 8.7) found in the 'brightness' function of the cameras. This flaw allows unauthenticated attackers to inject commands over the network using specifically designed requests.

The vulnerability is located in the 'brightness' argument in the 'action=' parameter of the AVTECH cameras' firmware, which was designed to allow remote adjustments to the brightness of a camera. This flaw impacts all AVTECH AVM1203 IP cameras running on firmware versions up to Fullmg-1023-1007-1011-1009. As these models have reached their end of life (EoL) in 2019 and are no longer supported by the Taiwanese vendor, no patch is available for CVE-2024-7029, and no fixes are expected to be released.

The U.S. Cybersecurity and Infrastructure Security Agency released an advisory earlier this month warning about CVE-2024-7029 and the availability of public exploits. The agency noted that these cameras are still being used in commercial facilities, financial services, healthcare and public health, and transportation systems. Although proof of concept (PoC) exploits for this flaw have been available since 2019, a CVE was only assigned this month, and no active exploitation had previously been observed.

The Corona malware variant, based on Mirai, has been active since 2020, exploiting various vulnerabilities in IoT devices to spread. Akamai's SIRT team reports that starting on March 18, 2024, Corona began exploiting CVE-2024-7029 in attacks in the wild, targeting AVM1203 cameras still in service despite them having reached EoL five years ago. The first active campaign began on March 18, 2024, but analysis showed activity for this variant as early as December 2023.

The Corona attacks, captured in Akamai's honeypots, exploit CVE-2024-7029 to download and execute a JavaScript file, which then loads the primary botnet payload onto the device. Once on the device, the malware connects to its command and control (C2) servers and waits for instructions to execute distributed denial of service (DDoS) attacks. Users of AVTECH AVM1203 IP cameras are advised to take them offline immediately and replace them with newer and actively supported models. As these cameras are often exposed to the internet, making them attractive targets for threat actors, they should always run the latest firmware version to ensure known bugs are fixed. If a device is discontinued, it should be replaced with newer models to continue receiving security updates. Additionally, default credentials should be changed to strong and unique passwords, and these devices should be separated from critical or production networks.

Related News

• Critical Infrastructure at Risk: Mirai Botnet Exploits CCTV Zero-Day Vulnerability

Latest News

• U.S. Agencies Highlight Ongoing Ransomware Attacks by Iranian Hacking Group
• Critical Infrastructure at Risk: Mirai Botnet Exploits CCTV Zero-Day Vulnerability
• Critical Atlassian Confluence Flaw Exploited for Cryptojacking
• Iranian Hackers Collaborate with Ransomware Gangs for Extortion
• Critical Hardcoded Password Vulnerability in FileCatalyst Workflow Rectified by Fortra