π―Nexcorium is like a digital thief that sneaks into smart cameras and old routers to turn them into an army of robots that can flood websites with too much traffic, making them crash. To stop it, we need to fix the holes in these devices and change their passwords.
What Happened
A new variant of the infamous Mirai botnet, named Nexcorium, has emerged, actively targeting TBK DVR devices and outdated TP-Link routers. This campaign exploits a known command injection vulnerability, CVE-2024-3721, allowing attackers to hijack these devices and convert them into a large-scale Distributed Denial-of-Service (DDoS) botnet. The threat actors behind this campaign have been attributed to a group identified as the βNexus Team,β although they remain relatively obscure within the cybersecurity landscape.
How It Works
Nexcorium operates by exploiting the CVE-2024-3721 vulnerability, which enables attackers to deliver a downloader script through manipulation of specific request arguments. This script, named βdvr,β downloads malware samples labeled βnexuscorpβ that are compatible with multiple Linux architectures, including ARM, MIPS, and x86-64. Upon execution, the malware displays a message stating, βnexuscorp has taken control.β
The malware architecture mirrors that of traditional Mirai variants, utilizing modular components such as a watchdog, scanner, and attacker module. It performs integrity checks and can replicate itself if alterations are detected, ensuring its persistence on infected devices.
Who's Being Targeted
The primary targets of this campaign are TBK DVR-4104 and DVR-4216 models, as well as end-of-life TP-Link routers. These devices are often left unpatched or lack adequate security measures, making them prime candidates for exploitation.
Signs of Infection
Indicators of infection include unusual network traffic patterns, especially those containing the custom HTTP header βX-Hacked-By: Nexus Team β Exploited By Erratic.β Additionally, affected devices may exhibit unexpected behavior, such as unauthorized access attempts or system slowdowns due to DDoS activity.
How to Protect Yourself
Organizations are urged to immediately patch CVE-2024-3721 and replace default manufacturer credentials on all devices. Implementing network segmentation can also help isolate critical infrastructure from vulnerable IoT endpoints. Continuous monitoring for unusual traffic patterns and employing robust intrusion detection systems can further mitigate risks associated with this botnet.
Conclusion
The Nexcorium malware exemplifies the ongoing threat posed by IoT-focused botnets, combining vulnerability exploitation with a sophisticated architecture to maintain long-term access to infected systems. Its use of known exploits, such as CVE-2017-17215 targeting Huawei devices, alongside extensive brute-force capabilities, underscores the need for vigilance in securing IoT devices against such threats.
The emergence of Nexcorium highlights the critical need for organizations to prioritize IoT security, especially for devices that are often overlooked or left unpatched. As attackers continue to exploit known vulnerabilities, proactive measures are essential to safeguard networks.
