A dangerous malware botnet has been detected exploiting a zero-day vulnerability (CVE-2024-11120) in end-of-life GeoVision video surveillance devices, potentially compromising over 17,000 systems worldwide. The Mirai botnet variant, known for Distributed Denial of Service (DDoS) and cryptomining attacks, is exploiting this critical flaw to install malware on outdated devices, posing a significant security risk.

Critical Vulnerability Details

The flaw, CVE-2024-11120, was uncovered by Piort Kijewski of The Shadowserver Foundation and has a severity score of 9.8 (CVSS v3.1), highlighting its critical impact. This is an OS command injection vulnerability that allows unauthenticated attackers to execute arbitrary commands on the device, potentially seizing control.

"Unauthenticated remote attackers can exploit this vulnerability to inject and execute arbitrary system commands on the device," warns Taiwan's CERT (TWCERT). The organization has already received numerous reports of this vulnerability being actively exploited in the wild, signaling an urgent need for mitigation.

According to TWCERT, the vulnerability (TVN-202411014) is highly exploitable and poses severe consequences, requiring immediate attention. The vulnerability has been exploited in multiple instances, highlighting the need for swift action to mitigate the risks.

Impacted GeoVision Models

The vulnerability affects several discontinued GeoVision models, grouped by functionality:

Video Servers:

• GV-VS12: A two-channel H.264 video server designed for converting analog video to digital streams.
• GV-VS11: A single-channel video server used for digitizing analog video signals.

License Plate Recognition System:

• GV-DSP LPR V3: A Linux-based system dedicated to license plate recognition.

Mobile Surveillance DVRs:

• GV-LX4C V2 / GV-LX4C V3: Compact digital video recorders (DVRs) developed for mobile surveillance applications.

These models are end-of-life products and are no longer receiving security updates, making them particularly vulnerable to attack.

Global Exposure

According to The Shadowserver Foundation, approximately 17,000 GeoVision devices are currently exposed online and vulnerable to exploitation by CVE-2024-11120. Most of these devices (over 9,100) are located in the United States, with Germany, Canada, Taiwan, Japan, Spain, and France also reporting significant numbers of vulnerable devices.

Piort Kijewski, the researcher who uncovered the issue, has identified the botnet as a variant of Mirai—a notorious malware strain often used for DDoS attacks and cryptomining operations. With thousands of exposed devices left defenseless, the potential for large-scale disruptions is high.

Symptoms and Mitigation Steps

Infected devices may show symptoms such as excessive heating, slower response times, and unexpected configuration changes due to increased resource usage from unauthorized activities. If any of these symptoms are observed, it is critical to perform a factory reset, change the default admin password to something strong, disable remote access, and isolate the device behind a firewall.

For organizations unable to replace these end-of-life devices, network administrators should place them on a dedicated local area network (LAN) or subnet, away from critical infrastructure, and closely monitor their activity for any signs of compromise.

How to Protect Against Mirai Botnet Attacks

The following steps are recommended to mitigate the impact of this vulnerability:

1. Device Replacement: Replace outdated GeoVision devices with supported models that continue to receive security patches.
2. Password Management: Immediately change default credentials to strong, unique passwords.
3. Access Restrictions: Disable remote management interfaces and place devices behind firewalls to limit exposure.
4. Network Segmentation: Isolate vulnerable devices to prevent them from compromising other parts of the network.
5. Firmware Updates: Ensure that any devices still supported receive the latest firmware updates to minimize risk.

Note: Prioritizing mitigation steps based on the organization's resources and device importance can help in effective risk management.

GeoVision devices' end-of-life status leaves them highly susceptible to attacks, and no security patches are expected. As such, users and administrators must take immediate action to secure these devices or consider their replacement to mitigate the risk.

The exploitation of CVE-2024-11120 by a Mirai botnet highlights the risks associated with using unsupported, vulnerable hardware. With thousands of GeoVision devices exposed globally, the threat of these devices being compromised for malicious purposes, such as DDoS attacks or cryptomining, is significant. Users should take all available precautions to mitigate these risks, including restricting access and ensuring strong password practices.