GeoVision Zero-Day Fuels Mirai Malware Outbreak
A critical zero-day vulnerability in end-of-life GeoVision devices is being weaponized by a malicious botnet to deploy Mirai malware, posing a significant threat to thousands of systems worldwide. The vulnerability, tracked as CVE-2024-11120, was discovered by Piotr Kijewski of The Shadowserver Foundation and is rated as a critical severity (CVSS v3.1 score: 9.8) OS command injection flaw. This allows attackers to execute arbitrary commands without authentication.
The Severity of the Mirai Malware Threat
“Unauthenticated remote attackers can exploit this vulnerability to inject and execute arbitrary system commands on the device,” warns Taiwan’s CERT. This confirmation underscores the immediate and serious nature of the threat. The Shadowserver Foundation reports that approximately 17,000 GeoVision devices are exposed and vulnerable to this attack. The majority of these compromised devices (9,100) are located in the United States, with significant numbers also in Germany (1,600), Canada (800), Taiwan (800), Japan (350), Spain (300), and France (250).
Affected GeoVision Devices and the Mirai Malware Variant
The vulnerability impacts several end-of-life GeoVision models, including:
- GV-VS12: A 2-channel H.264 video server.
- GV-VS11: A single-channel video server.
- GV-DSP LPR V3: A Linux-based license plate recognition system.
- GV-LX4C V2 / GV-LX4C V3: Compact DVRs for mobile surveillance.
Because these models are no longer supported, no security updates are forthcoming. Kijewski identified the botnet as a Mirai variant, a notorious malware often used for DDoS attacks or cryptojacking. The Mirai malware’s ability to spread rapidly and its potential for widespread disruption makes this situation particularly alarming.
Signs of Compromise and Mitigation Strategies
System administrators should be vigilant for signs of compromise, including:
- Excessive device heating.
- Slow or unresponsive devices.
- Unexpected configuration changes.
If any of these symptoms are observed, immediate action is crucial. The recommended steps include:
- Performing a factory reset of the device.
- Changing the default admin password to a strong and unique password.
- Disabling remote access panels.
- Placing the device behind a firewall.
Ideally, affected devices should be replaced with supported models. If replacement is not feasible, isolating the devices on a dedicated LAN or subnet and closely monitoring their activity are essential mitigation steps. The combination of a critical zero-day vulnerability and the use of Mirai malware highlights the importance of regularly updating and securing IoT devices.
This incident serves as a stark reminder of the ongoing threat posed by Mirai malware and the vulnerabilities of end-of-life devices. The rapid spread of this malware, coupled with the lack of vendor support for the affected GeoVision models, underscores the need for proactive security measures. Organizations and individuals using these devices must take immediate steps to mitigate the risk of infection and prevent further exploitation. The continued monitoring of the situation and the development of effective countermeasures are crucial in containing the spread of this Mirai malware outbreak.
