Posted on August 24, 2022 at 8:10 PM
Security researchers have discovered more than 80,000 Hikvision cameras that are susceptible to a critical command bug. According to the researchers, the vulnerability can be easily exploitable through specially designed messages delivered to the vulnerable web server.
The vulnerability is tracked as CVE-2021-36260, with a patch provided by Hikivision via a firmware update last September.
But despite the update provided, tens of thousands of systems utilized by more than 2,000 organizations across over 100 countries are still vulnerable. These vulnerable devices are yet to apply the updates which make them exploitable.
Two Known Public Exploits For The Flaw
The report also revealed that the vulnerability has been exploited in the wild twice. There could be other exploits, but there are only two known public exploits. The first was published last October while the second exploit was published earlier in February this year. This means that hackers will all manner of skills can search for and exploit the vulnerable cameras.
Last December, the exploit was used by a Mirai-based botnet called “Moobot” to spread continuously and swarm systems with DDoS attacks. In January this year, CISA warned about the CVE-2021-36260 vulnerability and stated that threat actors are abusing it and using it to attack systems.
The commission stated that the vulnerability was among the actively exploited flaws in the then-published list. It warned users and organizations that threat actors could take control of their devices if they remained unpatched.
The Entrance Points Are Being Sold In Russia-Speaking Hacking Forums
CYFIRMA revealed that Russian-speaking hacking forums usually market network entrance points that rely on exploitable Hikvision cameras. These can either be exploited for lateral movement or “botneting”. They are increasingly gaining customers who can pay high fees to gain network entrance for their attacks.
Of the 285,000 samples of internet-facing Hikvision servers analyzed, the cybersecurity firm discovered about 80,000 of them are still susceptible.
Most of them are located in the US and China. In addition, South Africa, Thailand, Ukraine, the UK, Romania, the Netherlands, and Vietnam all count above 2,000 vulnerable endpoints.
There is no specific pattern to the exploitation of the vulnerability since multiple hackers are involved in these activities. However, CYFIRMA says its researchers observed some patterns. The cybersecurity firm noted that the exploit can be traced to the Russian threat groups specializing in cyber espionage and the Chinese hacking groups APT10 and APT41.
The cybersecurity firm cited an example of a cyber espionage campaign called “think pocket”. Threat actors have used to target a well-known connectivity product that has been used in different industries across several regions since last year.
Users With Weak Passwords Could Be Exposed
In a whitepaper, CYFIRMA explained that threat actors from countries that may not have a cordial relationship with other countries make use of the vulnerable Hikvison camera products. They could use the vulnerable products to carry out cyber warfare with geopolitical motivation. Threat actors from rival countries are always looking for means of exposing their targets to score political points.
Apart from the command injection flaw, another area that could assist the threat actors to gain access is the use of weak passwords. In most cases, users prefer setting simple passwords that they can easily remember. In other cases, some users fail to change the default passwords attached to a new device. If they are not reset during the first setup, it could give threat actors the avenue to exploit the device.
Users Advised To Update Use Strong Passwords
Researchers have identified several offerings of lists that contain credentials of Hikvision camera live video feeds on dark net forums. Users who operate a Vikvision camera have been asked to update their systems with the latest available firmware update. Additionally, they should always use a strong password to protect their devices The users should deploy password managers to enable them to maintain strong passwords on their devices if they are afraid of forgetting the password. Users have also been advised to isolate the IoT network from critical assets using a VLAN or a firewall.
IoT devices are growing in numbers, and threat actors are increasingly targeting these devices because of their security issues. They are embedded with software and sensors that can collect and share data online. Unfortunately, these devices do not come with the strongest security infrastructure, which makes them vulnerable to exploits.