Security
Headlines
HeadlinesLatestCVEs

Headline

Thousands of Hikvision video cameras remain unpatched and vulnerable to takeover

Categories: News Tags: Hikvision

Tags: CVE-2021-36260

Tags: metasploit

Tags: Mirai

Tags: Moobot

Tags:

A patch has been available since September 2021, yet tens of thousands of systems used by 2,300 organizations across 100 countries have still not applied the security update.

(Read more…)

The post Thousands of Hikvision video cameras remain unpatched and vulnerable to takeover appeared first on Malwarebytes Labs.

Malwarebytes
#vulnerability#web#botnet

Posted: August 23, 2022 by

In September 2021 we told you about insecure Hikvision security cameras that were ready to be taken over remotely.

However, according to a whitepaper published by CYFIRMA, tens of thousands of systems used by 2,300 organizations across 100 countries have still not applied the security update, and are therefore vulnerable to exploitation.

The vulnerability

According to the researcher that reported it last year, the vulnerability has existed at least since 2016. All an attacker needs is access to the http(s) server port (typically 80/443). No username or password is needed, nor are any actions needed from the camera owner, and the attack is not detectable by any logging on the camera itself. A cybercriminal could exploit the vulnerability to launch a command injection attack by sending some messages with specially crafted commands.

The patch

The flaw is tracked as CVE-2021-36260 and was addressed by Hikvision via a firmware update in September 2021. The critical bug received a 9.8 out of 10 on the CVSS scale of severity, clearly demonstrated by the fact that it gives the attacker to gain even more access than the owner of the device has, since the owner is restricted to a limited protected shell (psh) which filters input to a predefined set of limited, mostly informational commands.

The abuse

One possible exploit of this vulnerability was published by packet storm in October 2021.

In December 2021, BleepingComputer reported that a Mirai-based botnet called Moobot was spreading aggressively via exploiting this vulnerability in the webserver of many Hikvision products.

A Metasploit module based on the vulnerability was published by packet storm in February of 2022.

The Cybersecurity & Infrastructure Security Agency (CISA) added the vulnerability to its list of known exploited vulnerabilities that should be patched by January 24, 2022.

Unpatched

Given the amount of available information, it is trivial even for a “copy and paste criminal,” to make use of the unpatched cameras.

Of an analyzed sample of 285,000 internet-facing Hikvision web servers, CYFIRMA found roughly 80,000 of them were still vulnerable to exploitation. Most of these are located in China and the United States, while Vietnam, the UK, Ukraine, Thailand, South Africa, France, the Netherlands, and Romania all count above 2,000 vulnerable cameras.

Mitigation

If you are in doubt whether you are using a vulnerable product, there is a list of the vulnerable firmware versions in the researchers’ post. Hikvision says you should download the latest firmware for your device from the global firmware portal.

In general it is not a good idea to make your cameras accessible from the internet and if you do, put them behind a VPN.

RELATED ARTICLES

Related news

Joint Advisory AA22-279A and Vulristics

Hello everyone! This episode will be about the new hot twenty vulnerabilities from CISA, NSA and FBI, Joint cybersecurity advisory (CSA) AA22-279A, and how I analyzed these vulnerabilities using my open source project Vulristics. Alternative video link (for Russia): https://vk.com/video-149273431_456239105 Americans can’t just release a list of “20 vulnerabilities most commonly exploited in attacks on […]

Chinese APT's favorite vulnerabilities revealed

Categories: Exploits and vulnerabilities Categories: News Tags: Chinese APT Tags: advanced persistent threat Tags: APT Tags: CISA Tags: NSA Tags: FBI Tags: security advisory CISA, the NSA and the FBI have compiled a list of the vulnerabilities targeted by state-sponsorted threat actors from China. (Read more...) The post Chinese APT's favorite vulnerabilities revealed appeared first on Malwarebytes Labs.

Cybercriminals Are Selling Access to Chinese Surveillance Cameras

Tens of thousands of cameras have failed to patch a critical, 11-month-old CVE, leaving thousands of organizations exposed.

Thousands of Organizations Remain at Risk From Critical Zero-Click IP Camera Bug

The US Cybersecurity and Infrastructure Security Agency had wanted federal agencies to implement the fix for the RCE flaw in Hikvision cameras by Jan. 24, 2022.

CVE-2021-36260: Command Injection Vulnerability

A command injection vulnerability in the web server of some Hikvision product. Due to the insufficient input validation, attacker can exploit the vulnerability to launch a command injection attack by sending some messages with malicious commands.