Mirai Variant Nexcorium Exploits TBK DVR Flaw (CVE‑2024‑3721) to Power Large‑Scale DDoS Botnet
What Happened – A new Mirai‑derived malware family, Nexcorium, is leveraging the command‑injection vulnerability CVE‑2024‑3721 in TBK DVR devices (and end‑of‑life TP‑Link routers) to infect IoT hardware and conscript them into a distributed denial‑of‑service (DDoS) botnet.
Why It Matters for TPRM –
- Unpatched IoT assets in a supplier’s environment can become launch pads for DDoS attacks that impact your services.
- The vulnerability is publicly known; threat actors can readily weaponize any similar devices you rely on.
- Botnet activity can trigger downstream supply‑chain disruptions and reputational damage.
Who Is Affected –
- IoT hardware vendors (TBK DVRs, TP‑Link routers)
- Enterprises that integrate such devices into their networks (retail, manufacturing, telecom, smart‑building operators)
Recommended Actions –
- Inventory all third‑party IoT devices and verify firmware versions.
- Patch TBK DVRs to remediate CVE‑2024‑3721 or replace unsupported units.
- Segment IoT networks and enforce strict outbound traffic controls.
- Monitor for abnormal outbound traffic patterns indicative of botnet activity.
Technical Notes – Attack vector: exploitation of CVE‑2024‑3721 (command injection) to deliver a downloader that installs a multi‑architecture Mirai variant. The malware uses XOR‑encoded configuration, hard‑coded credential lists, and includes additional exploits (e.g., CVE‑2017‑17215 for Huawei devices). Primary impact: large‑scale DDoS attacks against targeted services. Source: SecurityAffairs