Security researchers have identified a new wave of attacks where threat actors are exploiting vulnerabilities in digital video recorders and outdated routers to enlist devices into a botnet for distributed denial of service (DDoS) attacks. The campaign, detailed by Fortinet FortiGuard Labs and Palo Alto Networks Unit 42, leverages a known flaw in TBK DVR devices and targets end of life TP Link Wi Fi routers.

Exploiting a Medium Severity Flaw

The primary attack vector against TBK DVR devices exploits a specific security vulnerability tracked as CVE 2024 3721. This is a command injection flaw with a Common Vulnerability Scoring System (CVSS) score of 6.3, which is classified as medium severity. The vulnerability allows attackers to execute arbitrary commands on the affected devices by sending specially crafted network requests.

By exploiting this weakness, attackers can gain control over the DVRs. Once compromised, these devices are loaded with a variant of the Mirai malware, a well known piece of malicious software designed to turn networked devices into bots. These bots can then be remotely commanded to launch large scale DDoS attacks against targeted online services, overwhelming them with traffic.

Targeting Out of Support Hardware

In parallel, the threat actors are targeting Wi Fi routers from TP Link that have reached their end of life (EoL). Manufacturers typically cease providing security updates and support for EoL products, leaving them vulnerable to known exploits that will never be patched. This makes such devices low hanging fruit for botnet herders seeking to expand their networks with minimal resistance.

The combination of attacking a specific DVR model with a known vulnerability and broadly targeting unsupported routers demonstrates a strategic approach to building a robust and sizable botnet. The use of a Mirai variant indicates the attackers’ goal is primarily focused on DDoS capabilities, a common purpose for this family of malware.

Implications for Device Security

This campaign highlights the persistent risk posed by the Internet of Things (IoT) and networked consumer devices. Many such products are shipped with insecure default configurations, lack regular firmware update mechanisms, or are abandoned by manufacturers, creating a vast attack surface. DVRs and routers are particularly attractive targets because they are always connected to the internet and often have significant processing power suitable for generating attack traffic.

For users and organizations, the findings underscore the critical importance of basic cyber hygiene. This includes changing default passwords, disabling remote management features when not needed, and, most importantly, replacing hardware that is no longer receiving security updates from the vendor.

Ongoing Response and Future Outlook

Security firms continue to monitor the activity of this botnet, which has been dubbed “Nexcorium” by researchers. They are analyzing its command and control infrastructure and propagation methods to develop detection signatures and mitigation strategies. Network administrators are advised to review their infrastructure for the affected TBK DVR models and any EoL TP Link routers, taking them offline if they cannot be secured.

Looking ahead, similar exploitation cycles are expected to continue as attackers systematically scan the internet for devices vulnerable to publicly disclosed flaws. The lifecycle of this particular campaign will depend on the effectiveness of takedown efforts against its controllers and the rate at which vulnerable devices are either patched or disconnected from the global network. The incident serves as another reminder of the long tail of vulnerability that exists for internet connected devices long after their commercial life ends.

Source: Fortinet FortiGuard Labs, Palo Alto Networks Unit 42