Full Report
A new variant of the Mirai malware botnet is exploiting a command injection vulnerability in TBK DVR-4104 and DVR-4216 digital video recording devices to hijack them. [...]
Analysis Summary
# Vulnerability: Mirai Botnet Exploiting Command Injection in TBK DVRs
## CVE Details
- CVE ID: CVE-2024-3721 (Inferred from context referring to "CVE-2024-3721 flaw")
- CVSS Score: Unknown (Severity not explicitly provided, but context describes active exploitation)
- CWE: Command Injection (Inferred from description)
## Affected Systems
- Products: TBK DVR devices (including models DVR-4104 and DVR-4216)
- Versions: Unspecified vulnerable versions. Note: These devices are often re-branded under Novo, CeNova, QSee, Pulnix, XVR 5 in 1, Securus, Night OWL, DVR Login, HVR Login, and MDVR brands.
- Configurations: Applicable across devices running vulnerable firmware.
## Vulnerability Description
The vulnerability is a Command Injection flaw present in TBK DVR devices. This flaw allows remote attackers to execute arbitrary commands on the underlying system, which has been leveraged by a new variant of the Mirai botnet for infection.
## Exploitation
- Status: Actively exploited (Used by a new Mirai botnet variant)
- Complexity: Likely Low/Medium (Command injection is often easy to exploit once the entry point is found)
- Attack Vector: Network (Implied, as IoT devices are targeted remotely)
## Impact
(Impact scores are not defined in the source material, so assumed based on RCE/Command Injection):
- Confidentiality: High (Potential for data theft/access to device operations)
- Integrity: High (Ability to modify device configuration or installed software)
- Availability: High (Device can be taken offline or used for DDoS attacks as part of the botnet)
## Remediation
### Patches
- Patches: Status with TBK is unknown as of the article date; researchers are awaiting a response from the vendor regarding CVE-2024-3721.
- **Crucially, patching status for re-branded devices (Novo, QSee, Night OWL, etc.) is complex and likely vendor-dependent, potentially requiring firmware updates.**
### Workarounds
- Network segmentation or isolation of DVR devices from public networks where possible.
- Disabling unnecessary remote access features if applicable.
- Changing default credentials (though this vulnerability appears to be pre-authentication exploitation).
## Detection
- Indicators of Compromise: Presence of Mirai variant malware binaries or abnormal outbound network traffic patterns indicative of a botnet C2 connection.
- Detection Methods and Tools: Network monitoring for unauthorized command execution originating from the DVR device, or utilizing established Mirai detection signatures if available for the new variant.
## References
- Vendor Advisory: None confirmed at time of writing; vendor TBK has been contacted.
- Relevant links:
- hxxps://www.bleepingcomputer.com/news/security/new-mirai-botnet-infect-tbk-dvr-devices-via-command-injection-flaw/
- hxxps://www.bleepingcomputer.com/news/security/hackers-exploit-5-year-old-unpatched-flaw-in-tbk-dvr-devices/