A new iteration of the Mirai botnet is aggressively targeting internet-connected video recording devices and SOHO routers to build a massive DDoS infrastructure. This campaign focuses on unpatched legacy hardware to bypass modern endpoint security measures.
The Nexcorium botnet targets TP-Link routers and TBK DVR devices by exploiting known vulnerabilities such as CVE-2023-33538 and legacy command injection flaws in TBK hardware. Once infected‚ the devices are used to conduct high-volume DDoS attacks against industrial control systems and cloud service providers. This variant uses a novel obfuscation technique to hide its command-and-control traffic within encrypted blockchain-based communication channels.
Adversaries prioritize unmanaged IoT and edge devices because they lack the telemetry and automated patching cycles of enterprise endpoints. By compromising these devices at scale‚ threat actors can generate massive network-layer traffic that is difficult for traditional DDoS mitigation services to distinguish from legitimate requests.
– Identify and decommission all end-of-life TP-Link and TBK devices from remote worker environments and satellite offices.
– Change default administrative credentials on all IoT and networking hardware to complex‚ unique passwords.
– Implement strict ingress filtering to prevent unauthenticated access to the management interfaces of edge devices.
– Monitor for anomalous outbound traffic spikes originating from SOHO hardware and DVR systems.
The security of the enterprise perimeter is only as strong as the most neglected IoT device connected to the corporate network. #CodeDefence #Botnet #IoT #DDoS
/
