A new variant of the Mirai botnet, dubbed Broadside, is actively exploiting a critical command injection vulnerability (CVE-2024-3721) in TBK DVR (Digital Video Recorder) devices that are widely deployed in the maritime logistics sector, including on commercial vessels and shipping networks. Unlike traditional Mirai strains that focus primarily on distributed denial-of-service (DDoS) traffic, Broadside incorporates a custom command-and-control protocol, stealth-oriented process monitoring via Netlink kernel sockets, and payload polymorphism to evade static defenses, enabling it to maintain persistence while avoiding detection. Researchers have observed this campaign’s infrastructure fluctuating in activity over several months, indicating ongoing exploitation and a sustained threat presence.

In addition to its DDoS capabilities, analysis indicates that Broadside attempts to harvest sensitive credential files such as /etc/passwd and /etc/shadow, suggesting objectives beyond simple network flooding, including privilege escalation and lateral movement within compromised environments. The exploitation of insecure IoT devices aboard ships presents a dual risk: disruptive traffic surges that can interfere with vessel network and satellite connectivity, and unauthorized footholds that could be leveraged to reach critical onboard systems. Recommended mitigations focus on promptly patching vulnerable DVR devices, reinforcing network segmentation and access controls, and implementing robust credential hygiene and monitoring practices to reduce exposure to this evolving botnet threat.

‍

Source: https://industrialcyber.co/transport/cydome-flags-mirai-variant-broadside-targets-maritime-logistics-through-tbk-dvr-devices/