Multiple DVR device models from South Korean manufacturer Hitron Systems are plagued by vulnerabilities that are actively exploited by the InfectedSlurs botnet, Akamai reports.
Based on the Mirai source code, InfectedSlurs ensnares vulnerable devices in a botnet capable of launching distributed denial-of-service (DDoS) attacks. Previously, it was seen targeting zero-day flaws in FXC routers and QNAP NVR devices.
After exposing the InfectedSlurs botnet’s activities in November 2023, Akamai has observed the botnet targeting Hitron DVRs for infection, and discovered a total of six vulnerabilities being exploited as zero-days.
Tracked as CVE-2024-22768 through CVE-2024-22772, and CVE-2024-23842, the security defects are described as improper input validation issues that allow an attacker to inject OS commands and achieve remote code execution (RCE).
The attacks rely on a POST request to the device management interface to deliver the malicious payload using default credentials.
Each of these flaws has a CVSS score of 7.4 and, according to the US cybersecurity agency CISA, each could allow “an attacker to cause a denial-of-service condition when using default admin name and password”.
Impacted devices include Hitron DVR HVR-4781, DVR HVR-8781, DVR HVR-16781, DVR LGUVR-4H, DVR LGUVR-8H, and DVR LGUVR-16H, when running firmware versions 1.02 through 4.02. Hitron released firmware version 4.03 to patch all vulnerabilities.
Akamai urges organizations and end users to update to the latest firmware releases as soon as possible and recommends changing default login credentials immediately, monitoring network traffic and logs, maintaining an inventory of connected devices, and always applying security updates in a timely fashion.
Additionally, CISA recommends locating these devices behind firewalls, isolating them from business networks, ensuring they are not accessible from the internet, and using secure remote access methods, such as VPNs, to manage them.
“Addressing the security issues identified in the Hitron systems and associated devices requires a multifaceted approach, combining user awareness, prompt patching, proactive monitoring, and collaboration within the cybersecurity community,” Akamai notes.
KISA (Korea Internet & Security Agency) has issued an alert on these vulnerabilities along with individual advisories for each of them.
Related: Mirai Variant IZ1H9 Adds 13 Exploits to Arsenal
Related: Multiple DDoS Botnets Exploiting Recent Zyxel Vulnerability
Related: CISA Says Critical Zyxel NAS Vulnerability Exploited in Attacks