Security researchers found a severe vulnerability in over 80,000 Hikvision cameras. The vulnerability can be exploited by using a command injection sent to the web server. The researchers identified the vulnerability as CVE-2021-36260, and Hikvision fixed it in September 2021 through a firmware update. Despite fixing the issue, tens of thousands of systems owned by over 2,300 businesses across 100 countries have not received the security upgrade, according to a report by cybersecurity firm, CYFIRMA.
US Department of Defense’s cybersecurity division, CISA identified the vulnerability, and cautioned businesses to patch the vulnerability since it may allow attackers to “take control of their systems.”
In some cases, the live feed of Hikvision cameras was also sold on Clearnet hacking forums. The forums sold lists of passwords and user IDs for these cameras, which anyone could use to spy on individuals.
Mirai-based botnet was behind the attack
According to reports, a botnet known as “Moobot” was behind the attack that was executed in December 2021. The botnet utilized the exploit to expand quickly and recruit systems into DDoS (distributed denial of service) swarms.
CYFIRMA stated that the Russian-speaking hacker forums frequently offer network entrance points that rely on Hikvision cameras that can be used for either lateral or “botnet” movement.
The company also discovered that 80,000 of the 285,000 Hikvision web servers with internet access were still exploitable. Most of these programs are available in China, the US, Vietnam, the United Kingdom, Ukraine, Thailand, South Africa, France, the Netherlands, and Romania. These are also being sold as samples to interested buyers on hacker forums.
A cyber-espionage plan
CYFIRMA confirmed that these state-sponsored groups — Chinese hacker groups APT41 and APT10 and Russian threat groups, specialize in cyber espionage.
The security company also affirmed that even if the exploitation does not follow a set of patterns, because numerous threat actors are engaged in this attempt, a cyber espionage operation called “think pocket” could be behind the earlier attack. The operation has been targeting connected products employed by a large number of companies since August 2021.
According to reports, state-sponsored hacker groups with tense relations with other countries might utilize the vulnerabilities in Hikvision camera products to initiate a cyberwar with geopolitical overtones.
Weak passwords continue to be a problem
Along with command injection vulnerability, another significant factor that increases the chances of hacking events like exploitation of severe vulnerabilities is due to weak passwords.
Users usually create weak, repetitive passwords out of convenience and don’t change them afterwards, making it easier for hackers to access their accounts by cracking the passwords using keyloggers and other methods.
Cybersecurity companies have advised users to create stronger passwords and use protection tools and services like firewalls, VLAN, and antivirus programs. For Hikvision camera users, it is advisable to update their firmware to the latest version as soon as possible.