Tracking Mirai Variant Nexcorium: A Vulnerability-Driven IoT Botnet Campaign

A new IoT botnet campaign utilizing a Mirai variant identified as Nexcorium is actively targeting TBK DVRs. This campaign leverages multiple infection vectors, including the exploitation of CVE-2024-3721 and the reuse of CVE-2017-17215, alongside brute-force attacks to establish persistence. Once compromised, devices are enlisted into a multi-architecture botnet capable of launching distributed denial-of-service (DDoS) attacks. The evolution of this threat highlights the persistent risk posed by unpatched IoT devices within critical infrastructure and enterprise networks. The impact includes potential service disruption via DDoS and unauthorized device control. Mitigation strategies require immediate patching of affected DVR firmware, disabling unused services, and implementing strong authentication mechanisms to prevent brute-force access. Network segmentation is also recommended to limit lateral movement and command-and-control communication. Security teams should monitor for suspicious outbound traffic patterns associated with Mirai-style botnets to detect infections early.

TBK DVRs targeted by Nexcorium: exploiting, persisting, brute-force attacks, and multi-architecture Mirai-style DDoS in a single campaign. From CVE-2024-3721 exploitation to CVE-2017-17215 reuse, this botnet demonstrates how quickly IoT threats continue to evolve.

A new IoT botnet campaign utilizing a Mirai variant identified as Nexcorium is actively targeting TBK DVRs. This campaign leverages multiple infection vectors, including the exploitation of CVE-2024-3721 and the reuse of CVE-2017-17215, alongside brute-force attacks to establish persistence. Once compromised, devices are enlisted into a multi-architecture botnet capable of launching distributed denial-of-service (DDoS) attacks. The evolution of this threat highlights the persistent risk posed by unpatched IoT devices within critical infrastructure and enterprise networks. The impact includes potential service disruption via DDoS and unauthorized device control. Mitigation strategies require immediate patching of affected DVR firmware, disabling unused services, and implementing strong authentication mechanisms to prevent brute-force access. Network segmentation is also recommended to limit lateral movement and command-and-control communication. Security teams should monitor for suspicious outbound traffic patterns associated with Mirai-style botnets to detect infections early. TBK DVRs targeted by Nexcorium: exploiting, persisting, brute-force attacks, and multi-architecture Mirai-style DDoS in a single campaign. From CVE-2024-3721 exploitation to CVE-2017-17215 reuse, this botnet demonstrates how quickly IoT threats continue to evolve. TBK DVRs targeted by Nexcorium: exploiting, persisting, brute-force attacks, and multi-architecture Mirai-style DDoS in a single campaign. From CVE-2024-3721 exploitation to CVE-2017-17215 reuse, this botnet demonstrates how quickly IoT threats continue to evolve.