Mirai Malware Targets Unpatched TBK DVRs in Global Botnet Campaign

A newly emerged variant of the infamous Mirai malware botnet is actively exploiting a command injection vulnerability in TBK DVR-4104 and DVR-4216 devices. This vulnerability, tracked as CVE-2024–3721, enables attackers to gain unauthorized control over the compromised digital video recorders (DVRs), potentially enlisting them into powerful botnets used for cyberattacks.

This development raises serious concerns for both individual users and organizations relying on these devices for surveillance and security. The attack has real-world implications, with tens of thousands of devices already exposed and infected, and many more potentially vulnerable.

Understanding CVE-2024–3721: The Core of the Exploit

The vulnerability at the center of this botnet campaign is a command injection flaw that resides in the web interface of TBK DVR devices. Attackers exploit this flaw through a specially crafted POST request, manipulating parameters like mdb and mdc to achieve remote shell command execution.

This vulnerability allows hackers to bypass authentication and inject commands directly into the system, leading to full compromise of the device. Once infected, these DVRs can be used for various malicious purposes including DDoS attacks, data exfiltration, traffic proxying, and lateral movement within networks.

The exploit was originally published as a proof-of-concept (PoC) in April 2024, and active attacks began just days after its release showcasing how quickly threat actors incorporate public vulnerabilities into their arsenals.

Infection and Payload Delivery

Once the TBK DVR is compromised, the malware drops a malicious ARM32 binary that immediately initiates contact with a command-and-control (C2) server. From there, the infected device becomes part of the botnet swarm, capable of participating in distributed attacks and other coordinated cyber threats.

This particular Mirai variant has been observed performing environment checks to ensure the system is compatible with its payload. After confirming its presence on a vulnerable device, it executes its attack routines to maintain persistence and expand the botnet’s reach.

Global Impact of the Botnet Campaign

While approximately 114,000 vulnerable devices were initially estimated to be exposed online, recent scans show that around 50,000 devices remain at risk a significant number nonetheless. These devices are primarily located in China, India, Egypt, Ukraine, Russia, Turkey, and Brazil.

This figure might not represent the full scale of the attack, as many countries do not have active telemetry due to local restrictions on cybersecurity software, making it harder to assess the botnet’s complete footprint.

No Official Patch: A Security Time Bomb

As of now, there is no confirmed patch or firmware update available from TBK Vision, the manufacturer of the affected devices. Furthermore, these DVR models have been heavily rebranded under names like Novo, CeNova, QSee, Pulnix, Securus, Night OWL, MDVR, and others. This rebranding complicates mitigation efforts and patch deployment across all variants.

This lack of response and patching creates a dangerous situation where even non-targeted devices can be compromised simply by being internet-facing and unprotected.

A Pattern of Neglect: Similar Vulnerabilities in 2024

This is not the first vulnerability discovered in DVR and router hardware in 2024. The same security researcher who found CVE-2024–3721 also disclosed backdoor accounts and command injection flaws in several end-of-life (EoL) D-Link devices. These flaws were rapidly weaponized, once again emphasizing how critical it is for vendors to act swiftly on disclosure and for users to remain vigilant.

How WireTor Can Help You Defend Against IoT Botnets

At WireTor, we specialize in providing cutting-edge cybersecurity solutions tailored for today’s evolving threat landscape. Our services include:

🔍 Vulnerability Assessment

We detect weaknesses in your IoT and network infrastructure before attackers do. Our scans identify vulnerable firmware, open ports, and outdated software versions.

🔐 Penetration Testing

Our red team simulates real-world attacks, including IoT botnet threats, to show how hackers could exploit your systems — and how to stop them.

🌐 Network Segmentation & Hardening

We help you isolate critical systems and deploy firewall rules that prevent lateral movement of malware once a device is infected.

📡 Threat Intelligence & Monitoring

WireTor monitors the dark web, botnet C2 servers, and malware campaigns in real time to proactively alert you of threats targeting your digital assets.

🛡️ Custom Firmware & Patching Solutions

For businesses using rebranded or legacy DVRs, we offer custom patching recommendations and secure migration paths to protect against vulnerabilities like CVE-2024–3721.

Best Practices to Stay Secure

• To reduce your risk of falling victim to IoT botnet malware, consider the following steps:
• Disconnect unused DVRs from the internet
• Update firmware regularly and check with resellers if rebranded devices are affected
• Change all default passwords
• Limit remote access to DVRs through firewalls and VPNs
• Monitor device logs and network traffic for signs of compromise
• Need a security assessment?

👉 Contact WireTor today for a free vulnerability scan and protect your business from the next wave of IoT malware.

📞 USA: +1–332–267–8457

🌐 www.wiretor.com