Researchers Warn of Active GeoVision Botnet Used in DDoS and Cryptocurrency Attacks

Cybersecurity researchers have found an active botnet in the wild comprised of older GeoVision devices that have reached end of life (EOL).

One good reason to replace older IoT devices is the lack of support that inevitably faces any kind of hardware. No device will receive support forever. At some point, any company making IoT devices will stop supporting older models and encourage people to move on to newer ones.

The more devices of one type are on the market, the longer the replacement process takes, which is exactly what attackers look for when searching for vulnerable hardware.

Researchers at the Shadowserver Foundation have discovered an active botnet comprised of GeoVision EOL devices. Attackers are using a zero-day vulnerability (CVE-2024-11120), with a 9.8 score out of 10, that allows them to take over remotely.

“Certain EOL GeoVision devices have an OS Command Injection vulnerability,” reads the advisory published by TWCERT/CC in Taiwan. “Unauthenticated remote attackers can exploit this vulnerability to inject and execute arbitrary system commands on the device. Moreover, this vulnerability has already been exploited by attackers, and we have received related reports.”

The affected devices include the following:

• GV-VS12 (IP video server)
• GV-VS11 (IP video server)
• GV-DSP_LPR_V3 (license plate capture system)
• GVLX 4 V2 (Compact DVR)
• GVLX 4 V3 (Compact DVR)

Remember that no patch will be released for these devices, and GeoVision users are advised to replace them as soon as possible. According to the researchers, the botnet is already being used in DDoS and cryptomining attacks. 

The Shadowserver Foundation also released a map of active and vulnerable GeoVision devices that are still active. The United States has 9,179 devices, followed by Germany with 1,652.