DigiEver Fix That IoT Thing!
Dec. 27, 2024, 2:22 p.m.
Tags
External References
Description
In mid-November 2024, the Akamai SIRT discovered an uptick in activity targeting the URI /cgi-bin/cgi_main.cgi in our global network of honeypots. This activity appears to be part of a recent ongoing Mirai-based malware campaign dating back to at least October 2024. Further investigation into this campaign revealed a new botnet that calls itself the “Hail C*ck Botnet” that’s been active since at least September 2024. Using a Mirai malware variant that incorporates ChaCha20 and XOR decryption algorithms, it has been seen compromising vulnerable Internet of Things (IoT) devices in the wild, such as the DigiEver DVR, and TP-Link devices through CVE-2023-1389.
Date
Published: Dec. 27, 2024, 2:20 p.m.
Created: Dec. 27, 2024, 2:20 p.m.
Modified: Dec. 27, 2024, 2:22 p.m.
Indicators
dec561cc19458ea127dc1f548fcd0aaa51db007fa8b95c353086cd2d26bfcf02
b32390e3ed03b99419c736b2eb707886b9966f731e629f23e3af63ea7a91a7af
a1b73a3fbd2e373a35d3745d563186b06857f594fa5379f6f7401d09476a0c41
3c0eb5de2946c558159a6b6a656d463febee037c17a1f605330e601cfcd39615
31813bb69e10b636c785358ca09d7f91979454dc6fc001f750bf03ad8bde8fe5
0d8c3289a2b21abb0d414e2c730d46081e9334a97b5e0b52b9a2f248c59a59ad
91.149.238.18
91.149.218.232
91.132.50.181
88.151.195.22
86.107.100.80
81.29.149.178
5.39.254.71
45.202.35.91
31.13.248.89
45.125.66.90
213.182.204.57
195.133.92.51
194.87.198.29
193.233.193.45
185.82.200.181
154.216.17.126
154.213.187.50
104.37.188.76
95.214.53.205
5.35.104.31
149.50.106.25
45.202.35.24
141.98.11.79
hailcocks.ru
hikvision.geek
catlovingfools.geek
Attack Patterns
Mirai
TA0011
T1110
T1583.005