[German]Security researchers from Fortinet warned as early as December 6, 2021 that the Mirai-based botnet Moobot attacks vulnerabilities in the web servers of Hikvision camera systems. All it takes is sending a crafted instruction to the web server to inject commands and compromise the whole thing. The systems are then abused by the botnet for DDoS attacks.
I came across this issue via various reports on the Internet, but also via the following tweet, which Fortinet describes in more detail in this article.
Vulnerability CVE-2021-36260 in Hikvision IP Cameras
The vendor Hikvision has various surveillance camera systems on offer, which then communicate via their firmware with a web server operated on the Internet. Hikvision camera systems are also used by many OEMs under their own name.
Back in June 2020, a security researcher discovered a vulnerability and published the document Unauthenticated Remote Code Execution (RCE) vulnerability in Hikvision IP camera/NVR firmware (CVE-2021-36260). He had encountered a command injection vulnerability CVE-2021-36260 in the web server of some Hikvision products, which was confirmed by the vendor of his security advisory dated September 19, 2021.
All camera models listed in thesecurity advisory HSRC-202109-01 from September 19, 2021 that are accessible from the Internet via port forwarding have this vulnerability in the older firmware versions. Attackers could then gain full control over these cameras. I had pointed this out in the blog post Vulnerability in 100 million IP cameras from Hikvision and OEMs. And I had urged operators of the camera systems to react promptly. Because there are firmware updates for the affected systems (see).
Fortinet monitors attacks
Shortly after the vulnerability became known, FortiGuard Labs had developed an IPS signature (Intrusion Prevention System signature) that detects attacks against the vulnerability. Even while analyzing the vulnerability, Fortinet security researchers observed numerous payloads attempting to check the status of devices or extract sensitive data from victims via this vulnerability.
One payload caught the security researchers' particular attention. The malicious function attempts to inject a downloader on the Hikvision web server. The downloader exhibits infection behavior and also executes Moobot. Moobot is a DDoS botnet based on Mirai.
In this blog post security researchers explain how an attacker injects this payload via the Hikvision vulnerability and provide details about the botnet. An infected Hikvision system is commanded by the botnet to perform a DDoS attack on a specific IP address and port number. So, anyone running Hikvision systems should check to see if their systems are infected – Fortinet provides some guidance here.
Cookies helps to fund this blog: Cookie settings