DigiEver Fix That IoT Thing!
Dec. 27, 2024, 2:22 p.m.
Description
In mid-November 2024, the Akamai SIRT discovered an uptick in activity targeting the URI /cgi-bin/cgi_main.cgi in our global network of honeypots. This activity appears to be part of a recent ongoing Mirai-based malware campaign dating back to at least October 2024. Further investigation into this campaign revealed a new botnet that calls itself the “Hail C*ck Botnet” that’s been active since at least September 2024. Using a Mirai malware variant that incorporates ChaCha20 and XOR decryption algorithms, it has been seen compromising vulnerable Internet of Things (IoT) devices in the wild, such as the DigiEver DVR, and TP-Link devices through CVE-2023-1389.
Tags
Date
- Created: Dec. 27, 2024, 2:20 p.m.
- Published: Dec. 27, 2024, 2:20 p.m.
- Modified: Dec. 27, 2024, 2:22 p.m.
Indicators
- dec561cc19458ea127dc1f548fcd0aaa51db007fa8b95c353086cd2d26bfcf02
- b32390e3ed03b99419c736b2eb707886b9966f731e629f23e3af63ea7a91a7af
- a1b73a3fbd2e373a35d3745d563186b06857f594fa5379f6f7401d09476a0c41
- 3c0eb5de2946c558159a6b6a656d463febee037c17a1f605330e601cfcd39615
- 31813bb69e10b636c785358ca09d7f91979454dc6fc001f750bf03ad8bde8fe5
- 0d8c3289a2b21abb0d414e2c730d46081e9334a97b5e0b52b9a2f248c59a59ad
- 91.149.238.18
- 91.149.218.232
- 91.132.50.181
- 88.151.195.22
- 86.107.100.80
- 81.29.149.178
- 5.39.254.71
- 45.202.35.91
- 31.13.248.89
- 45.125.66.90
- 213.182.204.57
- 195.133.92.51
- 194.87.198.29
- 193.233.193.45
- 185.82.200.181
- 154.216.17.126
- 154.213.187.50
- 104.37.188.76
- 95.214.53.205
- 5.35.104.31
- 149.50.106.25
- 45.202.35.24
- 141.98.11.79
- hailcocks.ru
- hikvision.geek
- catlovingfools.geek