Mirai botnet exploits zero-day vulnerability in GeoVision devices, affecting over 17,000 systems worldwide. Learn about DDoS risks and security measures.
A dangerous malware botnet has been detected exploiting a zero-day vulnerability (CVE-2024-11120) in end-of-life GeoVision video surveillance devices, potentially compromising over 17,000 systems worldwide. The Mirai botnet variant, known for Distributed Denial of Service (DDoS) and cryptomining attacks, is exploiting this critical flaw to install malware on outdated devices, posing a significant security risk.
The flaw, CVE-2024-11120, was uncovered by Piort Kijewski of The Shadowserver Foundation and has a severity score of 9.8 (CVSS v3.1), highlighting its critical impact. This is an OS command injection vulnerability that allows unauthenticated attackers to execute arbitrary commands on the device, potentially seizing control.
"Unauthenticated remote attackers can exploit this vulnerability to inject and execute arbitrary system commands on the device," warns Taiwan's CERT (TWCERT). The organization has already received numerous reports of this vulnerability being actively exploited in the wild, signaling an urgent need for mitigation.
According to TWCERT, the vulnerability (TVN-202411014) is highly exploitable and poses severe consequences, requiring immediate attention. The vulnerability has been exploited in multiple instances, highlighting the need for swift action to mitigate the risks.
The vulnerability affects several discontinued GeoVision models, grouped by functionality:
These models are end-of-life products and are no longer receiving security updates, making them particularly vulnerable to attack.
According to The Shadowserver Foundation, approximately 17,000 GeoVision devices are currently exposed online and vulnerable to exploitation by CVE-2024-11120. Most of these devices (over 9,100) are located in the United States, with Germany, Canada, Taiwan, Japan, Spain, and France also reporting significant numbers of vulnerable devices.
Piort Kijewski, the researcher who uncovered the issue, has identified the botnet as a variant of Mirai—a notorious malware strain often used for DDoS attacks and cryptomining operations. With thousands of exposed devices left defenseless, the potential for large-scale disruptions is high.
Infected devices may show symptoms such as excessive heating, slower response times, and unexpected configuration changes due to increased resource usage from unauthorized activities. If any of these symptoms are observed, it is critical to perform a factory reset, change the default admin password to something strong, disable remote access, and isolate the device behind a firewall.
For organizations unable to replace these end-of-life devices, network administrators should place them on a dedicated local area network (LAN) or subnet, away from critical infrastructure, and closely monitor their activity for any signs of compromise.
How to Protect Against Mirai Botnet Attacks
The following steps are recommended to mitigate the impact of this vulnerability:
Note: Prioritizing mitigation steps based on the organization's resources and device importance can help in effective risk management.
GeoVision devices' end-of-life status leaves them highly susceptible to attacks, and no security patches are expected. As such, users and administrators must take immediate action to secure these devices or consider their replacement to mitigate the risk.
The exploitation of CVE-2024-11120 by a Mirai botnet highlights the risks associated with using unsupported, vulnerable hardware. With thousands of GeoVision devices exposed globally, the threat of these devices being compromised for malicious purposes, such as DDoS attacks or cryptomining, is significant. Users should take all available precautions to mitigate these risks, including restricting access and ensuring strong password practices.