A Mirai botnet variant named Murdoc has been actively targeting AVTECH cameras and Huawei HG532 routers in a mass campaign since at least July 2024, discovered by Qualys threat researchers. It leverages two known vulnerabilities to gain RCE and deploy malware on compromised devices:
- CVE-2024-7029, an unpatchable command injection vulnerability affecting end-of-life AVTECH IP Cameras. This CVE has also been targeted by the Corona Mirai variant, which we reported on last year (https://censys.com/cve-2024-7029/)
- CVE-2017-17215, an arbitrary command execution vulnerability in Huawei HG532 routers
Current Observations:
As of January 22, Censys scans reveal 221 Murdoc-infected hosts concentrated in Indonesia, the United States, and Taiwan. Other sources report numbers of over 1,300 infections, but these figures are likely an overestimation. They include “truncated” hosts and pseudoservices that respond on over 100+ open ports– behavior which exceeds reasonable standards and is likely not reflective of genuine hosts.
93 of these show indications of being Mirai command-and-control (C2) servers that target other vulnerable devices to further distribute the malware.
A compromised AVTECH camera acting as a Mirai C2
Censys Search query for Murdoc infected hosts: services.http.response.body:”murdoc_botnet”
Censys Search query for Murdoc (Mirai) C2s: services.http.response.body:”murdoc_botnet” and services.http.response.body:”$(echo -ne”
GreyNoise sensors have been picking up exploit attempts on both CVEs targeted by Murdoc, including 17 distinct malicious IPs targeting the AVTECH camera vulnerability and a whopping 37,796 malicious IPs targeting the Huawei HG532 router vulnerability.
Malicious activity targeting CVE-2017-17215 in the last 10 days peaked on January 16, according to GreyNoise data
There are still over 36,182 exposed AVTECH cameras on the internet. While not all are necessarily vulnerable to CVE-2024-7029, these devices are discontinued, no longer receive security updates, and should not be exposed to the public internet.
What can be done?
It’s critical for organizations and individuals to secure these devices immediately, either by isolating them from external networks or replacing them with supported hardware.
IoCs:
References:
