To protect against these threats, organizations should identify and replace vulnerable GeoVision devices, implement network segmentation to isolate IoT devices, and deploy intrusion detection systems to monitor for suspicious traffic patterns associated with the identified command and control infrastructure. After thorough investigation, they attributed the attacks to a Mirai-based malware variant called LZRD, which has been observed targeting multiple vulnerabilities beyond just the GeoVision devices, including previously reported DigiEver vulnerabilities. The cybersecurity landscape has once again been disrupted by the resurgence of the notorious Mirai botnet, which has been actively exploiting command injection vulnerabilities in discontinued GeoVision Internet of Things (IoT) devices. The exploit specifically targets the /DateSetting.cgi endpoint in GeoVision IoT devices, injecting malicious commands into the szSrvlpAddr parameter that fails to properly filter user input. The scope of this threat is particularly concerning as it affects numerous discontinued GeoVision IoT devices that will not receive security updates or patches. The infection process begins when attackers send specifically crafted HTTP requests to vulnerable GeoVision devices targeting the /DateSetting.cgi endpoint. Further analysis revealed a hard-coded command and control (C2) IP address (198.23.212.246) embedded in the sym.resolve_cnc_addr() function, providing a direct line of communication between infected devices and the attackers’ infrastructure. This lack of transparency may have contributed to the vulnerabilities remaining unpatched on numerous deployed devices, creating a fertile ground for attackers. The situation exemplifies a persistent problem in the IoT industry where older, unsupported devices remain deployed in production environments, creating an expanding attack surface for threat actors. The vulnerabilities allow unauthenticated remote attackers to inject and execute arbitrary system commands on targeted systems, providing a gateway for malware propagation. Despite being known vulnerabilities for nearly a year, the technical details of these security flaws remained largely undisclosed until now, with information being sparse and no public records of active exploitation. Organizations utilizing these devices now face the difficult decision of either accepting the risk or decommissioning functional hardware due to security concerns. Upon successful exploitation, the injected commands download and execute an ARM-based Mirai malware file named “boatnet,” which is a common nomenclature used in Mirai variants. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. The malware contains numerous attack functions consistent with other Mirai variants, including UDP and TCP flood capabilities.
This Cyber News was published on cybersecuritynews.com. Publication date: Wed, 07 May 2025 08:49:59 +0000