Skip to content
Attackers are attacking unpatched Hikvision video systems to drop a DDoS botnet; researchers have now warned.
Although a patch was released in Sept., any still-vulnerable Hikvision IP Network Video Recorder (NVR) products are being actively targeted by the Mirai-based botnet known as Moobot.
Denial of Service
FortiGuard Labs has released a report detailing how the Moobot botnet is using a known remote code execution (RCE) vulnerability in Hikvision products (CVE-2021-36260) to spread a Moobot, which carries out distributed denial of service (DDoS) attacks.
The attack surface could be significant: China-based Hikvision called itself as the “world’s leading video-surveillance products supplier” on the company site.
Vulnerable System
Once the attacker finds a vulnerable system, a downloader drops the malware, which FortiGuard identified as Moobot, a variant of Mirai with traces of Satori code. Sartori is another Mirai-based botnet & 1 of dozens that have been spun off the original source code.
“Its most obvious feature is that it contains the data string “w5q6he3dbrsgmclkiu4to18npavj702f”, which is used in the “rand_alphastr” function,” the researchers found in analysing the binary. “It is used to create random alphanumeric strings with different purposes, such as for a setup process name or to generate data for attacking.”
Once it makes a connection with the command-&-control server (C2), it launches the DDoS attack, the report added, which looks like this:
Tracked to DDoS Service Provider
The analysts were able to track the code to a DDoS service provider’s Telegram channel called “tianrian,” which has been operating since Aug., they added.
“From the chatting channel we can see that the service is still updating,” FortiGuard’s report cautioned. “Users should always look out for DDoS attacks & apply patches to vulnerable devices.”
During Q3, threat researchers at Kaspersky found that the number of DDoS attacks shattered records, often topping 1,000s per day.
DDoS Attack
Linux-based Mirai was 1st identified in Sept. of 2016 when it was used in a DDoS attack against Krebs on Security. A month later it took out a vast portion of the internet with a hit on Dyn. Despite its source code being released in Oct. 2016, it has since become 1 of the most powerful internet of things botnets, infecting products & gadgets from brands including D-Link, SonicWall & Netgear, & other connected devices.
Fortinet listed Mirai as the top botnet threat in its analysis of the 1st half of 2021. The report’s author Derek Manky, Fortiguard Labs’ Chief of Security insights & global threat alliances does not expect Mirai, or its related threat variants, to go away anytime soon.
Linux-Based Botnets
“We’re going to fully expect to see more of Mirai,” Manky stated. “More Linux-based botnets. A lot of these targets, we’re not talking about Windows, but MacOS, we’ve already seen more & more … code written for Linux itself, & that is a majority of the internet of things, or IoT space.”
Any organisations running unpatched Hikvision systems are urged to get the firmware update provided by the company.
