New Mirai Botnet Behind Surge in TVT DVR Exploitation
Summary:
A significant spike in exploitation attempts targeting TVT NVMS9000 DVRs was detected on April 3, 2025, with over 2,500 unique IP addresses scanning for vulnerable devices. These attacks exploit an information disclosure vulnerability that was first disclosed by an SSD Advisory in May 2024. The flaw allows attackers to retrieve admin credentials in cleartext using a single TCP payload, resulting in an authentication bypass that grants attackers unrestricted access to execute administrative commands on the device. This vulnerability poses a critical risk as it allows attackers to fully control the DVR system without needing additional credentials.
GreyNoise, a threat monitoring platform, reported that the exploitation activity appears to be tied to a Mirai-based malware strain. Mirai is a well-known malware family that aims to infect and incorporate vulnerable devices into a botnet, often to proxy malicious traffic, mine cryptocurrency, or launch distributed denial of service attacks. GreyNoise recorded 6,600 distinct IPs associated with this activity over the past month, confirming all of them as malicious and non-spoofable. Most of these malicious IPs originated from Taiwan, Japan, and South Korea, while the bulk of the targeted devices were located in the U.S., U.K., and Germany. This suggests that the attackers are likely operating from Asia and targeting devices in Western countries, particularly those in critical infrastructure or surveillance systems.
Security Officer Comments:
The TVT NVMS9000 DVRs, made by Shenzhen-based TVT Digital Technology Co., Ltd., are primarily used in security and surveillance systems to record, store, and manage video footage from security cameras. These devices are often internet-connected, making them prime targets for botnets that exploit vulnerabilities. The vulnerability in question has been known since 2024, but similar flaws have been exploited by various botnets in the past, including HiatusRAT, Mirai, and FreakOut. Infected DVRs can be hijacked to carry out malicious activities such as traffic relaying, mining cryptocurrency, or launching DDoS attacks against other networks or services.
It is important to note that the last firmware release for the NVMS9000 DVRs was in 2018, and it is unclear whether these devices are still officially supported by the manufacturer. As a result, administrators should carefully evaluate the long-term security of these devices and consider replacing them if they are no longer receiving updates or support.
Suggested Corrections:
To mitigate this risk, SSD’s advisory recommends upgrading the affected DVRs to firmware version 1.3.4 or later, which fixes the disclosed vulnerability. However, if upgrading the firmware is not feasible, SSD advises restricting public internet access to DVR ports and blocking incoming requests from the malicious IP addresses identified by GreyNoise. These preventive steps can significantly reduce the risk of exploitation. Additionally, administrators should monitor for signs of Mirai infections, such as outbound traffic spikes, sluggish performance, frequent crashes or reboots, high CPU/memory usage even when idle, and altered device configurations. If any of these symptoms are observed, it is crucial to disconnect the DVR from the network, perform a factory reset, update the firmware to the latest version, and isolate the device from the main network to prevent further compromise.
Link(s):
https://www.bleepingcomputer.com/ne...-botnet-behind-surge-in-tvt-dvr-exploitation/
A significant spike in exploitation attempts targeting TVT NVMS9000 DVRs was detected on April 3, 2025, with over 2,500 unique IP addresses scanning for vulnerable devices. These attacks exploit an information disclosure vulnerability that was first disclosed by an SSD Advisory in May 2024. The flaw allows attackers to retrieve admin credentials in cleartext using a single TCP payload, resulting in an authentication bypass that grants attackers unrestricted access to execute administrative commands on the device. This vulnerability poses a critical risk as it allows attackers to fully control the DVR system without needing additional credentials.
GreyNoise, a threat monitoring platform, reported that the exploitation activity appears to be tied to a Mirai-based malware strain. Mirai is a well-known malware family that aims to infect and incorporate vulnerable devices into a botnet, often to proxy malicious traffic, mine cryptocurrency, or launch distributed denial of service attacks. GreyNoise recorded 6,600 distinct IPs associated with this activity over the past month, confirming all of them as malicious and non-spoofable. Most of these malicious IPs originated from Taiwan, Japan, and South Korea, while the bulk of the targeted devices were located in the U.S., U.K., and Germany. This suggests that the attackers are likely operating from Asia and targeting devices in Western countries, particularly those in critical infrastructure or surveillance systems.
Security Officer Comments:
The TVT NVMS9000 DVRs, made by Shenzhen-based TVT Digital Technology Co., Ltd., are primarily used in security and surveillance systems to record, store, and manage video footage from security cameras. These devices are often internet-connected, making them prime targets for botnets that exploit vulnerabilities. The vulnerability in question has been known since 2024, but similar flaws have been exploited by various botnets in the past, including HiatusRAT, Mirai, and FreakOut. Infected DVRs can be hijacked to carry out malicious activities such as traffic relaying, mining cryptocurrency, or launching DDoS attacks against other networks or services.
It is important to note that the last firmware release for the NVMS9000 DVRs was in 2018, and it is unclear whether these devices are still officially supported by the manufacturer. As a result, administrators should carefully evaluate the long-term security of these devices and consider replacing them if they are no longer receiving updates or support.
Suggested Corrections:
To mitigate this risk, SSD’s advisory recommends upgrading the affected DVRs to firmware version 1.3.4 or later, which fixes the disclosed vulnerability. However, if upgrading the firmware is not feasible, SSD advises restricting public internet access to DVR ports and blocking incoming requests from the malicious IP addresses identified by GreyNoise. These preventive steps can significantly reduce the risk of exploitation. Additionally, administrators should monitor for signs of Mirai infections, such as outbound traffic spikes, sluggish performance, frequent crashes or reboots, high CPU/memory usage even when idle, and altered device configurations. If any of these symptoms are observed, it is crucial to disconnect the DVR from the network, perform a factory reset, update the firmware to the latest version, and isolate the device from the main network to prevent further compromise.
Link(s):
https://www.bleepingcomputer.com/ne...-botnet-behind-surge-in-tvt-dvr-exploitation/