Akamai’s Security Incident Response Team (SIRT) has detected increased activity targeting a rarely used TCP port in its global honeypots.
The investigation conducted in late October 2023 revealed a specific HTTP exploitation path, identifying two zero-day exploits actively exploited in the wild.
The first exploit targeted network video recorders (NVRs) used in video surveillance and security camera devices, while the second targeted plug-based wireless LAN routers for hotels and residential applications.
Further analysis revealed that NVR devices were using default administrative credentials, commonly documented by the manufacturer. The vendor is working on a patch scheduled for release in December 2023. The router vendor is also planning a release for the affected model, holding details until the patch is ready.
Akamai’s SIRT identified the campaign as originating from a cluster of Mirai botnet activity, primarily using old variant of JenX Mirai malware. Notably, command and control (C2) areas displayed offensive language and racial epithets. Malware samples associated with the campaign showed similarities to the original Mirai botnet.
Learn more about Mirai: New Mirai variant campaigns target IoT devices
Researchers shared indicators of compromise, including Snort and YARA rules, SHA256SUM of malware samples, and C2 domains. SIRT is working with CISA/US-CERT and JPCERT to notify affected providers.
Mitigation recommendations include checking and changing default credentials on Internet of Things (IoT) devices, isolating vulnerable devices, and implementing DDoS security controls.
“Threats like botnets and ransomware rely on default passwords that are often widely known and easily accessible to spread” read the review. “The harder it is for a threat to move, the less chance there is of unauthorized access and potential security breaches.”
Akamai’s blog post concludes by highlighting the importance of honeypots in cybersecurity and the need for organizations to stay informed of emerging threats. SIRT plans to publish a follow-up blog post with additional details once providers and CERTs complete the responsible disclosure process.