Akamai's Security Intelligence and Response Team (SIRT) has identified a new botnet campaign exploiting multiple vulnerabilities, including a zero-day vulnerability, CVE-2024-7029, discovered by Aline Eliovich. This command injection vulnerability exists in the brightness function of AVTECH IP camera devices, allowing for remote code execution (RCE). The botnet spreads a Mirai variant with strings referencing the COVID-19 virus, leveraging this vulnerability to infect systems.

• CVE-2024-7029: This vulnerability affects AVTECH IP camera models with firmware versions up to AVM1203 FullImg-1023-1007-1011-1009. The flaw allows attackers to inject commands through the "brightness" parameter in the device's web interface, leading to remote code execution.
• Exploitation: The botnet campaign not only exploits CVE-2024-7029 but also targets older, unpatched vulnerabilities, such as a Hadoop YARN RCE, CVE-2014-8361, and CVE-2017-17215. These vulnerabilities, though older, remain effective due to their widespread use in unpatched systems.
• Spread of Mirai Variant: The attack chain involves exploiting the identified vulnerabilities to download and execute a variant of the Mirai botnet. This variant, known as Corona Mirai, connects to command-and-control servers and spreads across networks, particularly through Telnet on ports 23, 2323, and 37215.
• Affected Devices: The vulnerability primarily impacts AVTECH IP camera models, specifically those running the AVM1203 firmware versions mentioned above. Despite these models being discontinued, they are still in use in critical infrastructure, including transportation authorities

Affected Models:

• AVTECH IP Cameras: Specifically models running up to AVM1203 firmware versions FullImg-1023-1007-1011-1009.