@securityonline.info
//
GreyNoise has observed a significant surge, approximately three times the typical level, in exploitation attempts targeting TVT NVMS9000 DVRs. The peak of this activity occurred on April 3, 2025, with over 2,500 unique IP addresses involved in scanning for vulnerable devices. This vulnerability is an information disclosure flaw that allows attackers to gain administrative control over affected systems, essentially bypassing authentication and executing commands without restriction. Countless prior reports have identified the TVT NVMS9000 DVR as a target for botnet recruitment, including a GreyNoise update in early March 2025.
The exploitation activity is strongly suspected to be associated with the Mirai botnet, a notorious threat known for targeting vulnerabilities in IoT devices. GreyNoise has identified sufficient overlap with Mirai to support this attribution. Manufactured by TVT Digital Technology Co., Ltd., based in Shenzhen, the NVMS9000 DVRs are used in security and surveillance systems for recording, storing, and managing video footage from security cameras. The company reports serving customers in over 120 countries.
The majority of the malicious IP addresses involved in the exploitation attempts originate from the Asia-Pacific (APAC) region, specifically Taiwan, Japan, and South Korea. However, the top target countries are the United States, United Kingdom, and Germany. Organizations using the NVMS9000 DVR or similar systems are advised to take immediate action to secure their devices. Recommended mitigations include blocking known malicious IP addresses, applying all available patches, restricting public internet access to DVR interfaces, and closely monitoring network traffic for signs of unusual scanning or exploitation attempts.
Recommended read:
References :
- The GreyNoise Blog: GreyNoise Observes 3X Surge in Exploitation Attempts Against TVT DVRs — Likely Mirai
- bsky.app: New Mirai botnet behind surge in TVT DVR exploitation
- BleepingComputer: New Mirai botnet behind surge in TVT DVR exploitation
- securityonline.info: TVT DVRs Under Siege: Massive Exploitation Attempts Expose Critical Flaw
- The DefendOps Diaries: Explore the resurgence of the Mirai botnet, its global impact, and advanced exploitation techniques targeting IoT devices.
- Cyber Security News: GreyNoise has detected a significant rise in exploitation attempts targeting TVT NVMS9000 DVRs, a line of digital video recorders primarily used in security and surveillance systems.
- www.scworld.com: Deluge of TVT DVR exploitation attempts likely due to Mirai-based botnet
- bsky.app: A significant spike in exploitation attempts targeting TVT NVMS9000 DVRs has been detected, peaking on April 3, 2025, with over 2,500 unique IPs scanning for vulnerable devices.
- cyberpress.org: Mirai Botnet Variant Targets TVT DVRs to Seize Administrative Control
Veronika Telychko@SOC Prime Blog
//
An undocumented "backdoor," which is really undocumented commands, has been discovered in the ESP32 microchip, a product of the Chinese manufacturer Espressif. This chip is a cornerstone in the Internet of Things (IoT) ecosystem, providing essential Bluetooth and Wi-Fi connectivity. It is widely used in over a billion devices as of 2023. The "backdoor," as it is referred to, could be leveraged for attacks including spoofing trusted devices, unauthorized data access, and pivoting to other devices on the network.
This discovery was made by Spanish researchers Miguel Tarascó Acuña and Antonio Vázquez Blanco from Tarlogic Security, who presented their findings at RootedCON. Their research underscores the critical need for robust security measures in IoT devices. The potential impact could be extensive, considering the chip’s widespread usage. This discovery raises concerns about the security of numerous devices and systems that rely on the ESP32 for their operations.
Recommended read:
References :
- infosec.exchange: Ok, poll for the "supply chain risk management" people! There's a backdoor in the ESP32 wifi/bluetooth chip.
- Anonymous ???????? :af:: The ubiquitous microchip made by Chinese manufacturer Espressif and used by over 1 billion units as of 2023 contains an undocumented "backdoor" that could be leveraged for attacks.
- The DefendOps Diaries: Discover the ESP32 backdoor's impact on IoT security and the urgent need for robust protection measures.
- www.bleepingcomputer.com: The ubiquitous ESP32 microchip made by Chinese manufacturer Espressif and used by over 1 billion units as of 2023 contains an undocumented "backdoor" that could be leveraged for attacks.
- BleepingComputer: Infosec.Exchange post about ESP32 Microchip Backdoor
- BleepingComputer: Infosec.Exchange post about ESP32 microchip with undocumented backdoor.
- Jon Greig: IOC.Exchange post about the backdoor
- TARNKAPPE.INFO: Bluetooth-Chip-Backdoor entdeckt: Über 1 Mrd. Geräte betroffen
- Rescana: Unveiling the ESP32 Bluetooth Chip Backdoor: Security Vulnerabilities and Mitigation Strategies
- BleepingComputer: The ubiquitous ESP32 microchip made by Chinese manufacturer Espressif and used by over 1 billion units as of 2023 contains undocumented commands that could be leveraged for attacks.
- dragosr: Oh, is that all? A few (billion?) ESP32 devices let attackers establish persistency in local flash using an undocumented commands set accessible from an over the air pivot, and low level protocol injection and spoofing control...
- securityaffairs.com: Undocumented hidden feature found in Espressif ESP32 microchip
- BleepingComputer: The ubiquitous ESP32 microchip made by Chinese manufacturer Espressif and used by over 1 billion units as of 2023 contains an undocumented "backdoor" that could be leveraged for attacks.
- Davey Winder: Identity Theft Warning—Hidden Commands In 1 Billion Bluetooth Chips
- www.techradar.com: Top Bluetooth chip security flaw could put a billion devices at risk worldwide
- Security | TechRepublic: Researchers warn these commands could be exploited to manipulate memory, impersonate devices, and bypass security controls.
- BetaNews: Attackers can use undocumented commands to hijack Chinese-made Bluetooth chips
- CyberInsider: Hidden Commands Discovered in Bluetooth Chip Used in a Billion Devices
- bsky.app: Undocumented "backdoor" found in Bluetooth chip used by a billion devices
- Matthew Rosenquist: The recent undocumented code in the ESP32 microchip, made by Chinese manufacturer Espressif Systems, is used in over 1 billion devices and could represent a cybersecurity risk.
- SOC Prime Blog: CVE-2025-27840: Vulnerability Exploitation in Espressif ESP32 Bluetooth Chips Can Lead to Unauthorized Access to Devices
Bill Mann@CyberInsider
//
A newly discovered botnet, Eleven11bot, has infected over 30,000 internet-connected devices. These compromised devices, primarily security cameras and Network Video Recorders (NVRs), are being actively used to launch Distributed Denial of Service (DDoS) attacks. The botnet's malicious activity has been directed towards critical telecom infrastructure and gaming websites, causing significant disruptions.
The activity of Eleven11bot has been traced back to Iran, with the infected devices distributed globally. Security researchers have discovered the botnet is being used to carry out brute force attacks on login pages. Weak or reused passwords are being exploited to take control of vulnerable devices. Regular updates to device firmware, frequent password changes, and disabling remote access can significantly reduce the risk of these breaches.
Recommended read:
References :
- CyberInsider: Massive DDoS Botnet Eleven11bot Infects 30,000+ IoT Devices
- www.cybersecurity-insiders.com: DDoS attacks by 30k botnets and IBM n Vodafone safe internet from quantum computing attacks
- securityaffairs.com: New Eleven11bot botnet infected +86K IoT devices
- www.scworld.com: Over 86K devices impacted by novel global Eleven11bot botnet
- www.techradar.com: Another huge new botnet is infecting thousands of webcams and video recorders for DDoS attacks
- aboutdfir.com: Massive botnet that appeared overnight is delivering record-size DDoSes A newly discovered network botnet comprising an estimated 30,000 webcams and video recorders—with the largest concentration in the US—has been delivering what is likely to be the biggest denial-of-service attack ever seen, a security researcher inside Nokia said.
- The GreyNoise Blog: A newly discovered global cyber threat is rapidly expanding, infecting tens of thousands of internet-connected devices to launch powerful cyberattacks.
- WIRED: Eleven11bot infects webcams and video recorders, with a large concentration in the US.
Pierluigi Paganini@Security Affairs
//
Security vulnerabilities have been discovered in Xerox VersaLink C7025 Multifunction printers (MFPs) that could allow attackers to capture authentication credentials. The flaw, discovered by Rapid7 researcher Deral Heiland, enables malicious actors to intercept Lightweight Directory Access Protocol (LDAP) and Server Message Block (SMB) authentication data through pass-back attacks. The vulnerabilities, tracked as CVE-2024-12510 and CVE-2024-12511, threaten organizations relying on these devices for printing, scanning, and document management.
Xerox has released firmware updates addressing these issues, urging customers to install patches immediately. Rapid7 recommends additional safeguards: restrict admin access to MFPs, disable unnecessary services like FTP, and implement network segmentation to isolate printers from critical AD infrastructure. The vulnerabilities underscore the risks of treating IoT devices as perimeter appliances rather than core network assets.
Recommended read:
References :
- gbhackers.com: Critical security vulnerability in Xerox Versalink C7025 MFPs enables attackers to intercept authentication data via pass-back attacks via LDAP and SMB/FTP services.
- securityaffairs.com: Xerox VersaLink C7025 Multifunction printer flaws may expose Windows Active Directory credentials to attackers
- The Hacker News: Xerox printers have multiple vulnerabilities that could enable attackers to gain access to authentication credentials from LDAP and SMB services, potentially affecting enterprise networks.
- gbhackers.com: Xerox Printer Vulnerability Exposes Authentication Data Via LDAP and SMB
- Talkback Resources: Xerox Versalink Printer Vulnerabilities Enable Lateral Movement [exp] [net]
- www.scworld.com: Authentication credential compromise likely with Xerox VersaLink printer flaws
- securityonline.info: Xerox Versalink Printers Vulnerable to Pass-Back Attacks, Credentials at Risk
- securityonline.info: Xerox Versalink Printers Vulnerable to Pass-Back Attacks, Credentials at Risk
- Talkback Resources: New Xerox Printer Flaws Could Let Attackers Capture Windows Active Directory Credentials [exp] [net]
- securityboulevard.com: Flaws in Xerox VersaLink MFPs Spotlight Printer Security Concerns
- heise online English: Xerox Versalink: Multifunction printers reveal access data Vulnerabilities have been discovered in Xerox Versalink multifunction printers that could allow attackers to steal access data.
- Security Boulevard: Flaws in Xerox VersaLink MFPs Spotlight Printer Security Concerns
- Talkback Resources: Xerox Versalink Printer Vulnerabilities Enable Lateral Movement
- Talkback Resources: Xerox Printer Vulnerabilities Enable Credential Capture
|
|
FlagThis - #iotsecurity