CVE-2024-3721
published 2024-04-13CVE-2024-3721: A vulnerability was found in TBK DVR-4104 and DVR-4216 up to 20240412 and classified as critical. This issue affects some unknown processing of the file…
PriorityP181medium6.3CVSS 3.1
AVNACLPRLUINSUCLILAL
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
86.49%
99.7th percentile
A vulnerability was found in TBK DVR-4104 and DVR-4216 up to 20240412 and classified as critical. This issue affects some unknown processing of the file /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___. The manipulation of the argument mdb/mdc leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-260573 was assigned to this vulnerability.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| jenkins | git_server_plugin | — | — |
| jenkins | script_security_plugin | — | — |
| jenkins | subversion_partial_release_manager_plugin | — | — |
| jenkins | telegram_bot_plugin | — | — |
| tbk | dvr-4104 | — | — |
| tbk | dvr-4216 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
RC4 key: 6e7976666525a97639777d2d7f303177
- →Detect CVE-2024-3721 exploitation attempts by monitoring for POST requests to the path /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___ with mdb/mdc parameters containing shell commands. ↗
- →Flag the misspelled User-Agent string 'Mozila/5.0' (single 'l') in HTTP requests, which is a distinctive indicator of this exploit campaign. ↗
- →Detect the Mirai variant's anti-VM behavior: the malware enumerates /proc/<PID>/cmdline looking for 'VMware' or 'QEMU-arm' strings to check if it is running in a virtual environment. ↗
- →Kaspersky detects the implant under the signatures HEUR:Backdoor.Linux.Mirai and HEUR:Backdoor.Linux.Gafgyt. ↗
- →The Nexcorium botnet campaign (reported by FortiGuard Labs) uses HTTP response headers containing 'X-Hacked-By: Nexus Team - Exploited By Erratic' as a campaign marker. ↗
- ·The vulnerability affects TBK DVR-4104 and DVR-4216 devices but has also been re-branded under multiple vendor names; patch availability is uncertain across all brands. ↗
CVSS provenance
nvdv3.16.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
ghsa4.3MEDIUM
vulncheck6.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Jenkins Subversion Partial Release Manager Plugin programmatically disables the fix for CVE-2016-3721
ghsa·2024-05-02·CVSS 4.3
CVE-2024-34148 [MEDIUM] CWE-1321 Jenkins Subversion Partial Release Manager Plugin programmatically disables the fix for CVE-2016-3721
Jenkins Subversion Partial Release Manager Plugin programmatically disables the fix for CVE-2016-3721
Jenkins Subversion Partial Release Manager Plugin 1.0.1 and earlier programmatically sets the Java system property `hudson.model.ParametersAction.keepUndefinedParameters` whenever a build is triggered from a release tag with the 'Svn-Partial Release Manager' SCM. Doing so disables the fix for [SECURITY-170](https://www.jenkins.io/security/advisory/2016-05-11/#arbitrary-build-parameters-are-passed-to-build-scripts-as-environment-variables) / CVE-2016-3721.
As of publication of this advisory, there is no fix.
GHSA
GHSA-795f-8w3g-5h2q: A vulnerability was found in TBK DVR-4104 and DVR-4216 up to 20240412 and classified as critical
ghsa_unreviewed·2024-04-13
CVE-2024-3721 [MEDIUM] CWE-78 GHSA-795f-8w3g-5h2q: A vulnerability was found in TBK DVR-4104 and DVR-4216 up to 20240412 and classified as critical
A vulnerability was found in TBK DVR-4104 and DVR-4216 up to 20240412 and classified as critical. This issue affects some unknown processing of the file /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___. The manipulation of the argument mdb/mdc leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-260573 was assigned to this vulnerability.
VulnCheck
TBK DVR Command Injection Vulnerability
vulncheck·2024·CVSS 6.3
CVE-2024-3721 [MEDIUM] TBK DVR Command Injection Vulnerability
TBK DVR Command Injection Vulnerability
A vulnerability was found in TBK DVR-4104 and DVR-4216 up to 20240412 and classified as critical. This issue affects some unknown processing of the file /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___. The manipulation of the argument mdb/mdc leads to os command injection. The attack may be initiated remotely.
Affected: TBK TBK DVR
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-04-21&host_type=src&vulnerability=cve-2024-3721; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-04-22&host_type=src&vulner
Suricata
ET WEB_SPECIFIC_APPS TBK DVR-4104/4216 Command Injection Attempt (CVE-2024-3721)
suricata·2025-03-26·CVSS 6.3
CVE-2024-3721 [MEDIUM] ET WEB_SPECIFIC_APPS TBK DVR-4104/4216 Command Injection Attempt (CVE-2024-3721)
ET WEB_SPECIFIC_APPS TBK DVR-4104/4216 Command Injection Attempt (CVE-2024-3721)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS TBK DVR-4104/4216 Command Injection Attempt (CVE-2024-3721)"; flow:established,to_server; http.uri; content:"/device.rsp|3f|opt|3d|sys|26|cmd|3d 5f 5f 5f|S|5f|O|5f|S|5f|T|5f|R|5f|E|5f|A|5f|MAX|5f 5f 5f|"; startswith; fast_pattern; content:"mdb|3d|"; within:20; content:"mdc|3d|"; within:20; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:cve,2024-3721; reference:url,github.com/netsecfish/tbk_dvr_command_injection; classtype:attempted-admin; sid:2061111; rev:1; metadata:affected_product DVR, attack_target IoT, tls_state plaintext, created_at 2025_03_26, cve CVE_2024_3721, deployment
No public exploits indexed.
Recorded Future
April 2026 CVE Landscape
blogs_recorded_future·2026-05-15·CVSS 9.8
CVE-2026-33032 [CRITICAL] April 2026 CVE Landscape
## April 2026 CVE Landscape
In April 2026, Insikt Group® identified 37 high-impact vulnerabilities that should be prioritized for remediation , 35 of which had a Very Critical Recorded Future Risk Score. This represents a 19% increase from last month.
31 of the 37 were included in the US Cybersecurity and Infrastructure Security Agency (CISA)’s Known Exploited Vulnerabilities (KEV) catalog, and six were surfaced only through honeypot data. Those six CVEs associated with honeypots are available only to Recorded Future customers.
Those 37 vulnerabilities affected products from 23 vendors. Microsoft accounted for approximately 22%, while the remaining exposure was concentrated across a range of enterprise-facing vendors, particularly security and systems management tools, collaboration and
Hackernews
Mirai Variant Nexcorium Exploits CVE-2024-3721 to Hijack TBK DVRs for DDoS Botnet
blogs_hackernews·2026-04-18·CVSS 6.3
CVE-2024-3721 [MEDIUM] Mirai Variant Nexcorium Exploits CVE-2024-3721 to Hijack TBK DVRs for DDoS Botnet
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## Mirai Variant Nexcorium Exploits CVE-2024-3721 to Hijack TBK DVRs for DDoS Botnet
Threat actors are exploiting security flaws in TBK DVR and end‑of‑life (EoL) TP-Link Wi-Fi routers to deploy Mirai -botnet variants on compromised devices, according to findings from Fortinet FortiGuard Labs and Palo Alto Networks Unit 42.
The attack targeting TBK DVR devices has been found to exploit CVE-2024-3721 (CVSS score: 6.3), a medium-severity command injection vulnerability affecting TBK DVR-4104 and DVR-4216 digital video recording devices, to deliver a Mirai variant called Nexcorium .
"IoT devices are increasingly prime targets for
abuse.ch
ThreatFox Malware Profile: Mirai
abuse_ch·2026-03-20·CVSS 6.3
[MEDIUM] ThreatFox Malware Profile: Mirai
Malware Family: Mirai
Aliases: Katana
Internal name: elf.mirai
ThreatFox has tracked 997 indicators of compromise for this malware family.
Activity observed from 2021-09-30 to 2026-03-20.
Threat categories: botnet command-and-control server (850 IOCs); payload delivery infrastructure (109 IOCs); malicious payload (38 IOCs)
Indicator types: IP address and port (603); domain name (336); MD5 file hash (29); URL (20); SHA-256 file hash (9)
Associated tags: Mirai (353), mirai (261), c2 (117), Kimwolf (46), botnet (38), 28December2025 (24), None (22), CVE-2024-3721 (17), 7November2025 (14), 7February2026 (13)
References (142 total):
- https://app.any.run/tasks/3c8cf20a-1ad6-4d00-9018-c20ce3597c8e
- https://bazaar.abuse.ch/sample/034c7081b8cf3ffbc762dfb50934e009938e68912f8bf83c69af5181247f6514
abuse.ch
Mirai - botnet command-and-control server (IP address and port)
abuse_ch·2025-12-11·CVSS 6.3
CVE-2024-3721 [MEDIUM] Mirai - botnet command-and-control server (IP address and port)
ThreatFox IOC: Mirai botnet command-and-control server
Indicator Type: IP address and port
Tags: CVE-2024-3721
Aliases: Katana
Reference: https://cydome.io/broadside-a-new-variant-of-the-mirai-botnet-targeting-maritime/
Confidence: 75%
Fortinet
ShadowV2 Casts a Shadow Over IoT Devices | FortiGuard Lab
blogs_fortinet·2025-11-26
ShadowV2 Casts a Shadow Over IoT Devices | FortiGuard Lab
FORTIGUARD LABS THREAT RESEARCH
ShadowV2 Casts a Shadow Over IoT Devices | FortiGuard Lab
Inside the Latest Mirai Variant Targeting IoT Devices Worldwide
FORTIGUARD SECURITY PORTFOLIO 2025 THREAT LANDSCAPE REPORT
Incidents
Malware Analysis
Conclusion
Fortinet Protections
IOCs
Hosts
Files
By Vincent Li | November 26, 2025
Affected Platforms: DD-WRT 24 sp1, D-Link DNS-320 FW v2.06B01 Revision Ax, D-Link Go-RT-AC750 GORTAC750_revA_v101b03, D-Link GO-RT-AC750_revB_FWv200b02, Digiever DS-2105 Pro 3.1.0.71-11, TBK DVR-4104, TBK DVR-4216, D-Link DNS-320, D-Link DNS-320LW, D-Link DNS-325, D-Link DNS-340L, TP-Link Archer router series
Impacted Users: Any organization
Impact: Remote attackers gain control of the vulnerable systems
Severity Level: High
At the end of October, during a global disr
Bleepingcomputer
New ShadowV2 botnet malware used AWS outage as a test opportunity
blogs_bleepingcomputer·2025-11-26·CVSS 8.3
[HIGH] New ShadowV2 botnet malware used AWS outage as a test opportunity
## New ShadowV2 botnet malware used AWS outage as a test opportunity
## Bill Toulas
A new Mirai-based botnet malware named ‘ShadowV2’ has been observed targeting IoT devices from D-Link, TP-Link, and other vendors with exploits for known vulnerabilities.
Fortinet’s FortiGuard Labs researchers spotted the activity during the major AWS outage in October . Although the two incidents are not connected, the botnet was active only for the duration of the outage, which may indicate that it was a test run.
ShadowV2 spread by leveraging at least eight vulnerabilities in multiple IoT products:
DD-WRT (CVE-2009-2765)
D-Link (CVE-2020-25506, CVE-2022-37055, CVE-2024-10914, CVE-2024-10915)
DigiEver (CVE-2023-52163)
TBK (CVE-2024-3721)
TP-Link (CVE-2024-53375)
Among these flaws, CVE-2024-10914
Qualys
Inside the Surge of PHP and IoT Exploits with Qualys TRU | Qualys
blogs_qualys·2025-10-30·CVSS 10.0
CVE-2022-22947 [CRITICAL] Inside the Surge of PHP and IoT Exploits with Qualys TRU | Qualys
#### Table of Contents
- PHP Servers Are the Top Target for Vulnerabilities and Misconfigurations
- PHP Exploitation Trends and Noteworthy CVEs
- The Dangers of Exposed Secrets and Credentials
- IOT Devices Remain a Weak Link in Security
- MVPower DVR Shell Unauthenticated Command Execution
- Cloud Vulnerabilities: CVE-2022-22947
- Threat Actors Exploit Cloud Resources for Reconnaissance
- 5 Best Practices to Reduce Exploitation Risk
- Building Resilience with Integrated Security
Attack automation is accelerating, widening the window between detection and response. Qualys TRU telemetry reveals how these attacks unfold and what defenders can do next.
The Qualys Threat Research Unit (TRU) has identified a sharp increase in attacks targeting PHP servers, IoT devices, and cloud gateways, pr
Qualys
What Security Teams Need to Know as PHP and IoT Exploits Surge
blogs_qualys·2025-10-30·CVSS 10.0
CVE-2022-22947 [CRITICAL] What Security Teams Need to Know as PHP and IoT Exploits Surge
## Table of Contents
PHP Servers Are the Top Target for Vulnerabilities and Misconfigurations
PHP Exploitation Trends and Noteworthy CVEs
The Dangers of Exposed Secrets and Credentials
IOT Devices Remain a Weak Link in Security
MVPower DVR Shell Unauthenticated Command Execution
Cloud Vulnerabilities: CVE-2022-22947
Threat Actors Exploit Cloud Resources for Reconnaissance
5 Best Practices to Reduce Exploitation Risk
Building Resilience with Integrated Security
Attack automation is accelerating, widening the window between detection and response. Qualys TRU telemetry reveals how these attacks unfold and what defenders can do next.
The Qualys Threat Research Unit (TRU) has identified a sharp increase in attacks targeting PHP servers, IoT devices, and cloud gateways, primarily driv
Checkpoint
13th October – Threat Intelligence Report
blogs_checkpoint·2025-10-13
CVE-2023-1389 13th October – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 13th October – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 13th October, please download our Threat Intelligence Bulletin .
TOP ATTACKS AND BREACHES
Qilin ransomware group has claimed responsibility for targeting Asahi, Japan’s largest brewing company, that had been hacked on September 29 th . The attack resulted in the exfiltration of over 9,300 files totaling 27GB of sensitive data, including financial documents, employee IDs, contracts, and internal reports. The at
Trendmicro
RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
blogs_trendmicro·2025-10-09·CVSS 8.8
[HIGH] RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
Cyber Threats
## RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
Trend™ Research and ZDI Threat Hunters have identified a large-scale RondoDox botnet campaign exploiting over 50 vulnerabilities across more than 30 vendors, including flaws first seen in Pwn2Own contests.
By: Deep Patel, Ashish Verma, Simon Dulude, Peter Girnus Oct 09, 2025 Read time: ( words)
Save to Folio
Trend customers can be reassured that they have been protected against vulnerabilities like CVE-2023-1389 since it was disclosed at Pwn2Own.
Below is the timeline showing key events in the RondoDox vulnerability, from discovery to exploitation:
December 6, 2022: Tri Dang and Bien Pham (@bienpnn) from Qrious Secure exploit the WAN interface of TP-Link AX1800 at Pwn2Own Toronto 2022 .
Januar
Trendmicro
RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
blogs_trendmicro·2025-10-09·CVSS 8.8
[HIGH] RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
Cyber Threats
## RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
The Trend Zero Day Initiative™ (ZDI) and Trend™ Research teams have identified a large-scale RondoDox botnet campaign exploiting over 50 vulnerabilities across more than 30 vendors, including flaws first seen in Pwn2Own contests.
By: Deep Patel, Ashish Verma, Simon Dulude, Peter Girnus Oct 09, 2025 Read time: ( words)
Save to Folio
Trend customers can be reassured that they have been protected against vulnerabilities like CVE-2023-1389 since it was disclosed at Pwn2Own.
Below is the timeline showing key events in the RondoDox vulnerability, from discovery to exploitation:
December 6, 2022: Tri Dang and Bien Pham (@bienpnn) from Qrious Secure exploit the WAN interface of TP-Link AX1800 at Pwn2Ow
Trendmicro
RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
blogs_trendmicro·2025-10-09
RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
Cyber Threats
# RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
Trend™ Research and ZDI Threat Hunters have identified a large-scale RondoDox botnet campaign exploiting over 50 vulnerabilities across more than 30 vendors, including flaws first seen in Pwn2Own contests.
By: Deep Patel, Ashish Verma, Simon Dulude, Peter Girnus
2025/10/09
Read time: ( words)
Save to Folio
Key takeaways
- The campaign exposes organizations to the risks of data exfiltration, persistent network compromise, and operational disruption for organizations with exposed infrastructure.
- Organizations operating internet-facing network devices are at heightened risk. Active exploitation has been observed globally since mid-2025, with several CVEs now included in CISA’s Known Exploited Vul
Trendmicro
RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
blogs_trendmicro·2025-10-09·CVSS 8.8
[HIGH] RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
Cyber Threats
## RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
Trend™ Research and ZDI Threat Hunters have identified a large-scale RondoDox botnet campaign exploiting over 50 vulnerabilities across more than 30 vendors, including flaws first seen in Pwn2Own contests.
By: Deep Patel, Ashish Verma, Simon Dulude, Peter Girnus 2025/10/09 Read time: ( words)
Save to Folio
Trend customers can be reassured that they have been protected against vulnerabilities like CVE-2023-1389 since it was disclosed at Pwn2Own.
Below is the timeline showing key events in the RondoDox vulnerability, from discovery to exploitation:
December 6, 2022: Tri Dang and Bien Pham (@bienpnn) from Qrious Secure exploit the WAN interface of TP-Link AX1800 at Pwn2Own Toronto 2022 .
January
Trendmicro
RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
blogs_trendmicro·2025-10-09·CVSS 8.8
[HIGH] RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
Ciberamenazas
## RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
The Trend Zero Day Initiative™ (ZDI) and Trend™ Research teams have identified a large-scale RondoDox botnet campaign exploiting over 50 vulnerabilities across more than 30 vendors, including flaws first seen in Pwn2Own contests.
By: Deep Patel, Ashish Verma, Simon Dulude, Peter Girnus Oct 09, 2025 Read time: ( words)
Save to Folio
Trend customers can be reassured that they have been protected against vulnerabilities like CVE-2023-1389 since it was disclosed at Pwn2Own.
Below is the timeline showing key events in the RondoDox vulnerability, from discovery to exploitation:
December 6, 2022: Tri Dang and Bien Pham (@bienpnn) from Qrious Secure exploit the WAN interface of TP-Link AX1800 at Pwn2Ow
Bleepingcomputer
RondoDox botnet targets 56 n-day flaws in worldwide attacks
blogs_bleepingcomputer·2025-10-09·CVSS 8.8
[HIGH] RondoDox botnet targets 56 n-day flaws in worldwide attacks
## RondoDox botnet targets 56 n-day flaws in worldwide attacks
## Bill Toulas
A new large-scale botnet called RondoDox is targeting 56 vulnerabilities in more than 30 distinct devices, including flaws first disclosed during Pwn2Own hacking competitions.
The attacker focuses on a wide range of exposed devices, including DVRs, NVRs, CCTV systems, and web servers and have been active since June.
The RondoDox botnet leverages what Trend Micro researchers call an “exploit shotgun” strategy, where numerous exploits are used simultaneously to maximize the infections, even if the activity is very noisy.
Since FortiGuard Labs discovered RondoDox , the botnet appears to have expanded the list of exploited vulnerabilities, which included CVE-2024-3721 and CVE-2024-12856.
## Mass n-day exploitat
Securelist
ThrottleStop driver abused to terminate AV processes
blogs_securelist·2025-08-06
ThrottleStop driver abused to terminate AV processes
Table of Contents
- Introduction
- Incident overview
- The AV killer analysis
- YARA rule
- Victims
- Attribution
- Conclusion and recommendations
- Tactics, techniques and procedures
- Indicators of compromise
Authors
- Cristian Souza
- Ashley Muñoz
- Eduardo Ovalle
- Francesco Figurelli
- Anderson Leite
## Introduction
In a recent incident response case in Brazil, we spotted intriguing new antivirus (AV) killer software that has been circulating in the wild since at least October 2024. This malicious artifact abuses the `ThrottleStop.sys` driver, delivered together with the malware, to terminate numerous antivirus processes and lower the system’s defenses as part of a technique known as BYOVD (Bring Your Own Vulnerable Driver). AV killers that rely on various vulnerable drivers are
Fortinet
RondoDox Unveiled: Breaking Down a New Botnet Threat | FortiGuard Labs
blogs_fortinet·2025-07-03·CVSS 7.2
[HIGH] RondoDox Unveiled: Breaking Down a New Botnet Threat | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
RondoDox Unveiled: Breaking Down a New Botnet Threat
A new botnet built for evasion and disruption
Vulnerability Details
Downloader Analysis
RondoDox Analysis
Conclusion
Fortinet Protections
IOCs
By Vincent Li | July 03, 2025
Affected Platforms: TBK DVR-4104. TBK DVR-4216. Four-Faith router models F3x24. Four-Faith router models F3x36.
Impacted Users: Any organization
Impact: Remote attackers gain control of the vulnerable systems
Severity Level: High
Over the past month, FortiGuard Labs has observed a significant increase in scanning activity, including a new botnet campaign that exploits two high-risk vulnerabilities: CVE-2024-3721 and CVE-2024-12856. Both have been publicly disclosed and are actively being targeted, posing serious risks to device se
Bleepingcomputer
New Mirai botnet infect TBK DVR devices via command injection flaw
blogs_bleepingcomputer·2025-06-08·CVSS 6.3
CVE-2024-3721 [MEDIUM] New Mirai botnet infect TBK DVR devices via command injection flaw
## New Mirai botnet infect TBK DVR devices via command injection flaw
## Bill Toulas
Kaspersky now reports having caught active exploitation of CVE-2024-3721 in its Linux honeypots from a new Mirai botnet variant using netsecfish's PoC.
The attackers leverage the exploit to drop an ARM32 malware binary, which establishes communication with the command and control (C2) server to enlist the device to the botnet swarm. From there, the device is likely used to conduct distributed denial of service (DDoS) attacks, proxy malicious traffic, and other behavior.
## Attack impact and fixes
Although netsecfish reported last year that there were approximately 114,000 internet-exposed DVRs vulnerable to CVE-2024-3721, Kaspersky's scans show approximately 50,000 exposed devices, which is still sign
Securelist
New Mirai botnet campaign targets DVR devices
blogs_securelist·2025-06-06·CVSS 6.3
CVE-2024-3721 [MEDIUM] New Mirai botnet campaign targets DVR devices
Table of Contents
- Exploitation
- Malware implant – Mirai variant
- Infection statistics
- Conclusion
- Indicators of compromise
Authors
- Anderson Leite
The abuse of known security flaws to deploy bots on vulnerable systems is a widely recognized problem. Many automated bots constantly search the web for known vulnerabilities in servers and devices connected to the internet, especially those running popular services. These bots often carry Remote Code Execution (RCE) exploits targeting HTTP services, allowing attackers to embed Linux commands within GET or POST requests.
We recently observed the use of CVE-2024-3721 in attempts to deploy a bot in one of our honeypot services. This bot variant turned out to be part of the infamous Mirai botnet, targeting DVR-based monitoring systems
Securelist
Analysis of the latest Mirai wave exploiting TBK DVR devices with CVE-2024-3721
blogs_securelist·2025-06-06·CVSS 6.3
[MEDIUM] Analysis of the latest Mirai wave exploiting TBK DVR devices with CVE-2024-3721
Table of Contents
Exploitation
Malware implant – Mirai variant
Data decryption
Anti-VM and anti-emulation
Infection statistics
Conclusion
Indicators of compromise
Authors
Anderson Leite
The abuse of known security flaws to deploy bots on vulnerable systems is a widely recognized problem. Many automated bots constantly search the web for known vulnerabilities in servers and devices connected to the internet, especially those running popular services. These bots often carry Remote Code Execution (RCE) exploits targeting HTTP services, allowing attackers to embed Linux commands within GET or POST requests.
We recently observed the use of CVE-2024-3721 in attempts to deploy a bot in one of our honeypot services. This bot variant turned out to be part of the infamous Mirai botnet , t
Securelist
XZ backdoor behavior inside OpenSSH
blogs_securelist·2024-06-24
XZ backdoor behavior inside OpenSSH
Table of Contents
- Key findings
- Detailed analysis
- ED448-encrypted public key extraction – x86-based steganography
- Payload decryption and signature check
- Payload signature check
- Backdoor commands
- Log hiding capabilities
- Conclusion
Authors
- Anderson Leite
- Sergey Belov
Part 1: XZ backdoor story – Initial analysis
Part 2: Assessing the Y, and How, of the XZ Utils incident (social engineering)
Part 3: XZ backdoor. Hook analysis
In our first article on the XZ backdoor, we analyzed its code from initial infection to the function hooking it performs. As we mentioned then, its initial goal was to successfully hook one of the functions related to RSA key manipulation. In this article, we will focus on the backdoor’s behavior inside OpenSSH, specifically OpenSSH portable ver
Securelist
Analysis of DinodasRAT Linux implant
blogs_securelist·2024-03-28
Analysis of DinodasRAT Linux implant
Table of Contents
- Initial infection overview
- Victim ID generation and persistence
- C2 Communication
- Encryption
- Infrastructure
- Victims
- Conclusion
- Indicators of compromise
Authors
- Anderson Leite
- Lisandro Ubiedo
DinodasRAT, also known as XDealer, is a multi-platform backdoor written in C++ that offers a range of capabilities. This RAT allows the malicious actor to surveil and harvest sensitive data from a target’s computer. A Windows version of this RAT was used in attacks against government entities in Guyana, and documented by ESET researchers as Operation Jacana.
In early October 2023, after the ESET publication, we discovered a new Linux version of DinodasRAT. Sample artifacts suggest that this version (V10 according to the attackers’ versioning system) may have s
Greynoiseio
NoiseLetter April 2024
blogs_greynoiseio
NoiseLetter April 2024
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
arXiv
TORCHLIGHT: Shedding LIGHT on Real-World Attacks on Cloudless IoT Devices Concealed within the Tor Network
arxiv_fulltext·2025-01-28
TORCHLIGHT: Shedding LIGHT on Real-World Attacks on Cloudless IoT Devices Concealed within the Tor Network
TORchlight: Shedding Light on Real-World Attacks on Cloudless IoT Devices Concealed within the Tor Network
Yumingzhi Pan^ , Zhen Ling^ Corresponding author: Prof. Zhen Ling of Southeast University, China., Yue Zhang^ , Hongze Wang^ , Guangchi Liu^ , Junzhou Luo^ , Xinwen Fu^
^ Southeast University, Email: \pymz, zhenling, wanghongze, gc-liu, jluo\@seu.edu.cn
^ Drexel University, Email: [email protected]
^ University of Massachusetts Lowell, Email: [email protected]
## Abstract
The rapidly expanding Internet of Things (IoT) landscape is shifting toward cloudless architectures, removing reliance on centralized cloud services but exposing devices directly to the internet and increasing their vulnerability to cyberattacks. Our research revealed an unexpected pattern of substantial Tor net
2024-04-13
Published
Exploited in the wild