The Akamai Security Incident Response Team (SIRT) has detected increased activity targeting a rarely used TCP port across its global honeypots.
The investigation conducted in late October 2023 revealed a specific HTTP exploit path, identifying two zero-day exploits being actively leveraged in the wild.
The first exploit targeted network video recorders (NVRs) used in CCTV and security camera devices, while the second affected outlet-based wireless LAN routers for hotels and residential applications.
Further analysis found that the NVR devices used default administrative credentials, commonly documented by the manufacturer. The vendor is working on a fix scheduled for release in December 2023. The router vendor is also planning a release for the affected model, withholding details until the patch is ready.
The Akamai SIRT identified the campaign as originating from a Mirai botnet activity cluster, primarily using the older JenX Mirai malware variant. Notably, the command-and-control (C2) domains displayed offensive language and racial epithets. The malware samples associated with the campaign showed similarities with the original Mirai botnet.
The researchers shared indicators of compromise, including Snort and YARA rules, SHA256SUMs of malware samples and C2 domains. The SIRT is collaborating with CISA/US-CERT and JPCERT to notify impacted vendors.
Mitigation recommendations include checking and changing default credentials on Internet of Things (IoT) devices, isolating vulnerable devices and implementing DDoS security controls.
“Threats such as botnets and ransomware rely on default passwords that are often widely known and easily accessible for propagation,” reads the advisory. “The more difficult it is for a threat to move around, the less chance there is of unauthorized access and potential security breaches.”
The Akamai blog post concludes by emphasizing the importance of honeypots in cybersecurity and the need for organizations to stay informed about emerging threats. The SIRT plans to publish a follow-up blog post with additional details once vendors and CERTs complete the responsible disclosure process.