Executive Summary

A new variant of the Mirai botnet, named Broadside, is targeting the maritime sector by exploiting a critical vulnerability in TBK Vision Digital Video Recorders (DVRs). According to research from cybersecurity firm Cydome, the botnet spreads by exploiting CVE-2024-3721, an OS command injection flaw, to compromise vulnerable DVRs commonly used on ships for security surveillance. Broadside demonstrates a significant evolution from its predecessors, incorporating advanced features for stealth, persistence, and C2 communication. More alarmingly, its capabilities go beyond traditional DDoS attacks; the malware actively harvests credentials, seeks to terminate competing malware, and prepares for lateral movement within the ship's network. This transforms a simple IoT device into a dangerous pivot point, posing a severe risk to both the IT and Operational Technology (OT) systems of maritime vessels.

Threat Overview

Broadside's initial access vector is the exploitation of CVE-2024-3721, a command injection vulnerability in the /device.rsp endpoint of TBK DVRs and their many rebranded versions (including CeNova, QSee, and Night Owl). This allows an unauthenticated remote attacker to take full control of the device.

Once compromised, the Broadside malware exhibits several advanced features:

• Stealthy Monitoring: It uses Netlink kernel sockets for process monitoring, a less noisy method than the filesystem polling used by older Mirai variants.
• Custom C2 Protocol: It communicates with its C2 servers using a custom protocol identified by a unique "Magic Header" (0x36694201), designed to evade signature-based network detection.
• Anti-Competition Module: A "Judge, Jury, and Executioner" function actively seeks and terminates other malware processes on the device, ensuring its exclusive control.
• Credential Harvesting: The malware attempts to read and exfiltrate sensitive files like /etc/passwd and /etc/shadow, indicating an intent to escalate privileges and move laterally across the network.

Technical Analysis

The botnet's operation can be mapped to the MITRE ATT&CK framework:

• Initial Access: T1190 - Exploit Public-Facing Application by exploiting CVE-2024-3721 on the DVR's web interface.
• Execution: T1059.004 - Unix Shell is used as part of the initial command injection exploit.
• Defense Evasion: T1562.001 - Impair Defenses: Disable or Modify Tools by terminating competing malware processes. The custom C2 protocol is a form of T1071.004 - Application Layer Protocol: DNS (if over DNS) or T1071.001 - Web Protocols if over HTTP, but more generally T1573.002 - Encrypted Channel: Asymmetric Cryptography if encrypted.
• Credential Access: T1003.008 - OS Credential Dumping: /etc/passwd and /etc/shadow.
• Impact: While capable of participating in DDoS attacks (T1498 - Network Denial of Service), its primary threat in this context is as a foothold for further intrusion.

Impact Assessment

The targeting of the maritime sector is particularly concerning. A compromised DVR on a ship's network is not just a bot for DDoS attacks; it's a pivot point into a sensitive and isolated environment. The potential impact includes:

• Espionage: Attackers could gain access to live CCTV feeds of sensitive areas like the bridge, engine room, or cargo holds.
• Network Disruption: A DDoS attack launched from within the ship's network could overwhelm its satellite communication link, cutting it off from shore-based support.
• Lateral Movement to OT Systems: The greatest risk is the attacker pivoting from the IT network (where the DVR resides) to the Operational Technology (OT) network, which controls the ship's navigation, propulsion, and safety systems. A compromise here could have catastrophic physical consequences.
• Credential Theft: Harvested credentials could be used to access other systems on the vessel's network, including crew accounts or administrative systems.

Cyber Observables for Detection

Detection & Response

• Network Segmentation: Ensure that IoT devices like DVRs are on a segregated network segment, isolated from critical IT and OT systems. Monitor and restrict all traffic between these segments. This is a core principle of D3FEND's D3-NI: Network Isolation.
• Network Traffic Analysis: Use an IDS/IPS to monitor for exploitation attempts against CVE-2024-3721. Create rules to detect the unique Broadside C2 "Magic Header" in network traffic. This is an application of D3-NTA: Network Traffic Analysis.
• Log Monitoring: Monitor DVR device logs for signs of compromise, such as unexpected reboots, configuration changes, or outbound network connections to unusual ports or IP addresses.
• Asset Inventory: Maintain a comprehensive inventory of all connected devices on vessels, including the make, model, and software version of all DVRs, to quickly identify vulnerable systems.

Mitigation

1. Patch or Replace: The primary mitigation is to patch the firmware of vulnerable TBK DVRs. If a patch is not available, the devices should be replaced with secure alternatives and disconnected from the network immediately. This is an application of D3-SU: Software Update.
2. Restrict Network Access: If the device cannot be patched or replaced immediately, restrict all internet access to and from the DVR. If remote access is required, it should be done via a secure, multi-factor authenticated VPN connection.
3. Change Default Credentials: Always change the default administrative passwords on DVRs and other IoT devices. While not the primary vector here, it is a critical security hygiene step that prevents simple brute-force attacks.
4. Implement IT/OT Separation: For maritime operators, enforcing strict network separation between the Information Technology (IT) network and the Operational Technology (OT) network is paramount to prevent a DVR compromise from escalating into a physical safety incident.