Researchers have discovered a botnet campaign that is exploiting several vulnerabilities, including a zero-day vulnerability (CVE-2024-7029) in AVTECH closed-circuit television (CCTV) cameras that could allow for remote code execution.
CVE-2024-7029 has been known for five years but has only been assigned a CVE now, showing the importance of monitoring even unassigned vulnerabilities.
CVE-2024-7029 Flaw In AVTECH Cameras
CVE-2024-7029 is a command injection vulnerability in the brightness function of AVTECH IP camera devices. This vulnerability allows an attacker to inject malicious code and execute it on a target system with elevated privileges. The botnet campaign spreads a Mirai variant with string names referencing the COVID-19 pandemic that began in 2020.
CISA said in its advisory that the vulnerability is easily exploited, classifying it as ‘Exploitable remotely/low attack complexity/public exploits are available/known public exploitation.’
While the vulnerability was first observed in March 2024, analysis suggests that the threat actor has been active since December 2023. The proof of concept (PoC) for CVE-2024-7029 has been publicly available since 2019, but it did not receive a formal CVE assignment until August 2024. The researchers cite the campaign as an example of the weight of monitoring and reporting on threats, even if they have no formal CVE assignment, as an important precautionary measure.
However, Akamai researchers clarified that the botnet campaign is not limited to just CVE-2024-7029, but also targets several other vulnerabilities, including several other AVTECH vulnerabilities, a Hadoop YARN RCE, CVE-2014-8361, and CVE-2017-17215.
The tactic of using older, unpatched vulnerabilities remains a concerning but effective focus for botnet operators.
Widespread Impact
The CVE-2024-7029 vulnerability in AVTECH IP cameras affects up to and including AVM1203 firmware versions FullImg-1023-1007-1011-1009. The AVTECH CCTV devices affected by CVE-2024-7029 are still widely used, even though the models in question were discontinued years ago.
These devices are found in various industries, including transportation authorities and other critical infrastructure entities.
CISA recommends that users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:
- Minimize the exposure of control system devices and/or systems to the network. Ensure they are not directly accessible from the internet, as this can increase the risk of unauthorized access.
- Isolate the control system networks and remote devices by placing them behind firewalls. This helps to segregate them from the business networks, reducing the potential attack surface.
- When remote access is necessary, use more secure methods, such as virtual private networks (VPNs). Recognize that VPNs may have their own vulnerabilities, so it is important to keep them updated to the most current version available.
The exploitation of the CVE-2024-7029 Avtech vulnerability shows that vulnerabilities even without a formal CVE assignment may still pose a threat to your organization. There are many vulnerabilities with public exploits or available PoCs that lack formal CVE assignment, and, in some cases, the devices remain unpatched.
If there is no way to remediate a threat, decommissioning the hardware and software is the recommended way to mitigate security risks and lower the risk of regulatory fines.
