Mirai Variant Nexcorium Compromises TBK DVR Devices to Power DDoS Botnet
What Happened – Researchers at Fortinet identified a new Mirai‑derived malware family named Nexcorium that infects TBK brand digital video recorders (DVRs). The malware installs a lightweight agent that connects the devices to a command‑and‑control (C2) server, enabling large‑scale distributed denial‑of‑service (DDoS) attacks.
Why It Matters for TPRM –
- IoT devices in a supply chain can become launch pads for external attacks, exposing your organization to service disruption and reputational risk.
- Lack of visibility into third‑party hardware (e.g., surveillance cameras) can hide malicious footholds from traditional security controls.
- The rapid evolution of Mirai variants demonstrates that threat actors continuously weaponize insecure consumer‑grade devices.
Who Is Affected –
- Industries: Retail, hospitality, manufacturing, logistics, and any sector that deploys on‑premise surveillance systems.
- Vendor Types: Hardware manufacturers of DVR/NVR devices, Managed Service Providers that host surveillance infrastructure, and organizations that outsource video monitoring.
Recommended Actions –
- Inventory all deployed DVR/NVR hardware and verify firmware versions.
- Enforce network segmentation for IoT devices; block outbound traffic to unknown C2 domains/IPs.
- Apply vendor‑provided security patches or replace unsupported DVR models.
- Incorporate IoT‑specific monitoring into your security operations center (SOC).
Technical Notes – Nexcorium reuses Mirai’s scanning modules to locate devices with default credentials, then deploys a lightweight DDoS payload. No public CVE is associated; the attack leverages credential reuse and weak authentication. Data exfiltration is not reported, but the botnet can generate multi‑gigabit traffic, overwhelming target networks. Source: HackRead