Full Report
Cybersecurity researchers are calling attention to a malware campaign that's targeting security flaws in TBK digital video recorders (DVRs) and Four-Faith routers to rope the devices into a new botnet called RondoDox. The vulnerabilities in question include CVE-2024-3721, a medium-severity command injection vulnerability affecting TBK DVR-4104 and DVR-4216 DVRs, and CVE-2024-12856, an operating
Analysis Summary
# Vulnerability: Command Injection in TBK DVRs and Four-Faith Routers Exploited by RondoDox Botnet
## CVE Details
- CVE ID: CVE-2024-3721
- CVSS Score: 5.3 (Medium) - *Note: Severity based on typical Command Injection scores, exact base score not explicitly listed.*
- CWE: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
- CVE ID: CVE-2024-12856
- CVSS Score: N/A (Medium severity implied or stated for CVE-2024-3721; exact score for this CVE is not provided)
- CWE: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
## Affected Systems
- **Products (CVE-2024-3721):** TBK Digital Video Recorders (DVRs)
- **Versions (CVE-2024-3721):** DVR-4104, DVR-4216
- **Products (CVE-2024-12856):** Four-Faith Routers
- **Versions (CVE-2024-12856):** Models F3x24 and F3x36
- **Configurations:** Devices likely exposed directly to the internet due to outdated firmware or misconfigured ports.
## Vulnerability Description
Both vulnerabilities are operating system (OS) command injection flaws. They allow remote threat actors to execute arbitrary commands on the underlying operating system of the affected network devices (DVRs and Routers). These flaws are being actively weaponized by the RondoDox botnet malware to compromise the devices.
## Exploitation
- **Status:** Exploited in the wild (Actively targeted by the RondoDox botnet campaign, previous exploitation noted for Mirai variants).
- **Complexity:** Low to Medium (Implied, as these devices are often unmonitored and internet-exposed).
- **Attack Vector:** Network (Remote exploitation is implied for initial access).
## Impact
The exploitation leads to full system takeover via malware installation.
- **Confidentiality:** High (Malware can potentially access configuration, sensitive data, and use the device as a proxy).
- **Integrity:** High (Malware sets persistence, removes traces, modifies system files, and terminates security/analysis processes).
- **Availability:** High (Devices are redirected to participate in DDoS campaigns).
## Remediation
### Patches
No specific patch versions are listed in the source material. Users must obtain and apply firmware updates provided by TBK and Four-Faith immediately.
### Workarounds
1. **Network Segmentation/Isolation:** Ensure these DVRs and routers are not directly exposed to the internet and are properly segmented from critical internal networks.
2. **Change Default Credentials:** If still applicable, ensure all default administrative credentials have been changed.
3. **Monitoring:** Implement rigorous outbound traffic monitoring to detect unusual connections, especially those mimicking known gaming/VPN protocols.
## Detection
The RondoDox malware exhibits significant evasive behavior.
- **Indicators of Compromise (IoCs):**
* Presence of ELF binaries targeting ARM/MIPS architectures, followed by multi-architecture shell script downloaders.
* Termination of system analysis/network utility processes (e.g., `wget`, `curl`, `Wireshark`, `gdb`).
* Renaming of legitimate executables in common Linux directories (`/usr/sbin`, `/usr/bin`, etc.) to random strings (e.g., `iptables` renamed to `jsuJpf`).
* Outbound connections mimicking traffic from platforms like Valve, Minecraft, Roblox, OpenVPN, or WireGuard to the C2 server `83.150.218[.]93`.
* Persistence mechanism activating after reboot, possibly ignoring `SIGINT`, `SIGQUIT`, and `SIGTERM` signals.
- **Detection Methods and Tools:**
* Use IDS/IPS rules to block known malicious C2 IP addresses.
* Monitor for shell script execution that attempts to disable process signal handling or clear command history.
* File integrity monitoring (FIM) tools should be configured to watch for unauthorized changes to system binaries and file paths like `/dev`, `/var/tmp`, and `/data/local/tmp`.
* Analyze network traffic for non-standard payloads disguised as common services (gaming, VPN).
## References
- Vendor advisories for TBK DVR-4104, DVR-4216, Four-Faith F3x24, and F3x36 firmware updates.
- Relevant Links (Defanged):
- hxxps://www.fortinet.com/blog/threat-research/rondobox-unveiled-breaking-down-a-botnet-threat
- hxxps://thehackernews.com/2024/12/15000-four-faith-routers-exposed-to-new.html