Ethical Hacking News
A new Mirai botnet has emerged as a result of a surge in exploitation attempts targeting vulnerable TVT NVMS9000 digital video recorders (DVRs), leaving many at risk of being incorporated into the botnet to carry out malicious cyber-attacks. The attacks, linked to an information disclosure vulnerability, have already resulted in significant disruption and damage, highlighting the importance of immediate action to secure devices. Upgrading firmware, restricting public internet access, and monitoring for signs of infection are all recommended steps to prevent Mirai infections on DVRs.
Over 2,500 unique IP addresses were involved in Mirai botnet attacks on TVT NVMS9000 DVRs, peaking on April 3, 2025. A vulnerability in the TVT NVMS9000 device allows attackers to retrieve admin credentials in cleartext, enabling authentication bypass and remote execution of commands. The Mirai botnet is adapting and leveraging TVT NVMS9000 DVRs to launch more sophisticated cyber-attacks, including DDoS, cryptomining, and proxying malicious traffic. A significant portion of attacks originate from Taiwan, Japan, and South Korea, with most targeted devices in the U.S., U.K., and Germany. Users are advised to upgrade to firmware version 1.3.4 or later to fix the flaw, and block incoming requests from affected IP addresses if upgrading is impossible.
The cybersecurity landscape is constantly evolving, with new threats and vulnerabilities emerging at an alarming rate. In recent days, a surge in exploitation attempts targeting vulnerable TVT NVMS9000 digital video recorders (DVRs) has been detected, pointing to the emergence of a new Mirai botnet. According to data from threat monitoring platform GreyNoise, over 2,500 unique IP addresses were involved in the attacks, peaking on April 3, 2025.
The attacks appear to be linked to an information disclosure vulnerability first disclosed by an SSD Advisory in May 2024. This vulnerability allows attackers to exploit a single TCP payload to retrieve admin credentials in cleartext, resulting in an authentication bypass that enables administrative access to the device without restriction. In essence, this means that an attacker can remotely execute commands on a DVR, giving them complete control over the device.
It is worth noting that the Mirai botnet has been a persistent threat in recent years, with various iterations of the malware targeting vulnerable devices to incorporate them into its network. The current surge in attacks suggests that the Mirai botnet has adapted and is now leveraging the TVT NVMS9000 DVRs to launch more sophisticated cyber-attacks.
In addition to launching DDoS attacks or engaging in cryptomining, infected devices may also be used to proxy malicious traffic or carry out other types of malicious activity. The sheer scale of this attack, with 6,600 distinct IP addresses involved, highlights the potential for widespread disruption and damage that such a botnet could cause.
A significant portion of these attacks originate from Taiwan, Japan, and South Korea, while most of the targeted devices are based in the U.S., the U.K., and Germany. The TVT NVMS9000 DVR is a widely used device primarily employed in security and surveillance systems to record, store, and manage video footage from security cameras.
Given the potential for significant disruption and damage caused by this botnet, it is essential that users take immediate action to secure their devices. Customers are advised to upgrade to firmware version 1.3.4 or later to fix the flaw. If upgrading is impossible, public internet access to DVR ports should be restricted, and incoming requests from the IP addresses listed by GreyNoise should be blocked.
Signs of a Mirai infection on DVRs include outbound traffic spikes, sluggish performance, frequent crashes or reboots, high CPU/memory usage even when idle, and altered configurations. If any of these signs are observed, it is recommended to disconnect the DVR, perform a factory reset, update to the latest firmware, and then isolate it from the main network.
The last firmware release for the NVMS9000 was in 2018, leaving its ongoing support status uncertain. It remains unclear whether devices are still supported by TVT Digital Technology Co., Ltd.
In light of this emerging threat, it is crucial that users remain vigilant and proactive in protecting their devices and data from malicious activity.
Related Information:
https://www.ethicalhackingnews.com/articles/New-Mirai-Botnet-Unleashed-A-Threat-Emerges-from-Vulnerable-TVT-DVRs-ehn.shtml
https://www.bleepingcomputer.com/news/security/new-mirai-botnet-behind-surge-in-tvt-dvr-exploitation/
Published: Tue Apr 8 11:27:35 2025 by llama3.2 3B Q4_K_M
