Source: Hans Joachim Aubert via Alamy Stock Photo

Yet another variant of the Mirai botnet is threatening the maritime logistics sector by exploiting a critical flaw in digital recording devices used by companies on seagoing vessels. The attacks allow for remote command injection via the vulnerability, enabling attackers to establish Netlink-based process monitoring for persistence and other malicious activities.

Researchers at Cydome’s Cybersecurity Research Team identified the variant, which they’ve dubbed "Broadside," about 10 days ago while monitoring marine assets, according to a blog post published today. The attack, which they later discovered has been active for months, is targeting DVR systems via CVE-2024-3721, one of several IoT flaws being pummeled by botnets since at least October.

The flaw allows attackers to use command injection to hijack TBK DVR-4104 and DVR-4216 digital video recording devices, which are widely used in the maritime industry. This sector historically lacks a significant cybersecurity profile and thus is uniquely vulnerable to cyberattacks, as current marine assets are using exposed systems that most likely lack patches for even well-known security flaws, Shamar Dumai, head of marketing at Cydome, tells Dark Reading.

"The state of cybersecurity in most marine assets is very low," he says. "There are no cybersecurity personnel on board, and many vessels have little to no security monitoring, defenses, or patching procedures."

Related:Student Sells Gov’t, University Sites to Chinese Actors

Not only do these vessels use legacy, unpatched systems, it’s difficult to even detect when attacks occur, thus they can persistent under the radar for months, Dumai says. This was the case when an India-backed threat group Sidewinder targeted maritime vessels earlier this year. Moreover, it’s quite easy for attacks to spread among vessels that a company manages, which increases the risk for multiple ships in a fleet, he says.

Mirai, A Botnet That Goes Beyond DDoS

Mirai is a formidable botnet that has spawned myriad variants since its source code was leaked in 2016, and it remains a significant security threat more than a decade after first appearing. The botnet, initially developed by a group of young hackers to launch distributed denial of service (DDoS) attacks against servers running the popular video game Minecraft, in its modern incarnation targets routers and Internet of Things (IoT) devices for DDoS and other types of attacks.

In the case of Broadside, the botnet is extends beyond DDoS attacks by actively attempting to harvest system credential files, indicating that cyberattackers aim to escalate privileges and move laterally to turn compromised devices into a strategic foothold for malicious operations, according to Cydome.

Related:‘MuddyWater’ Hackers Target Israeli Orgs With Retro Game Tactic

Specifically, the variant is targeting TBK DVR devices for remote command injection via CVE-2024-3721 on the /device.rsp endpoint (HTTP POST). The attack then proceeds with high-rate UDP flooding with basic payload polymorphism, Netlink-based process monitoring for stealthy persistence, and dynamic termination and blacklisting of competing processes.

Technically, Broadside diverges from standard Mirai by utilizing Netlink kernel sockets for stealthy, event-driven process monitoring, and it also uses payload polymorphism to evade static defenses, the researchers noted.

Dead in the Water? Protecting Marine Assets From Cyberattackers

The Broadside campaign remains active, with researchers confirming command-and-control (C2) communications using a custom protocol over TCP/1026, and fallback communications over TCP/6969. At this point, "it’s hard to conclude the intention of the attack group," though Broadside is currently trending with marine assets, Dumai says.

A unique risk for marine operations when such attacks occur is that they are mainly reliant on satellite communication, which is expensive and thus in many cases is limited in bandwidth. "This means that any botnet attack can affect an entire vessel operation by exhausting bandwidth and causing exorbitant network usage costs," he explains.

Related:Researchers Use Poetry to Jailbreak AI Models

Cydome published indicators of compromise (IoCs), so maritime vessel operators can identify and mitigate attacks, and enacted network threat detections in its infrastructure for maritime vessels to protect them.

Operators also can detect and mitigate attacks by reviewing the usage of an affected DVR system; verifying that systems are updated and patched; conducting vulnerability scanning, blacklisting all relevant IPs based on provided IoCs, and making sure all security systems are updated with those IoCs, Dumai says.

"It’s also very important to follow best practices of network segregation and to isolate critical operational systems from the rest of the network," he says. He adds, "Many attacks are simply utilizing known vulnerabilities, relying on victims to be slow in patching their systems."

About the Author

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.