Vulnerable Hikvision cameras exposed online
Cyfirma finds 80,000 unpatched Chinese-made cameras in online scan
Brian Pereira (digital_belief) •
August 23, 2022
Cybercriminals in Russian forums are selling login credentials to Hikvision-branded security cameras, tens of thousands of which remain vulnerable to a well-known exploit, a threat intelligence firm warns.
See also: Webinar | Prevent, Detect and Restore: Data Security Backup Systems Simplified
Chinese manufacturer Hangzhou Hikvision Digital Technology Co. released a patch for the vulnerability last September. Tracked as CVE-2021-36260, this command injection vulnerability allows attackers to execute arbitrary system commands on the victim’s host operating system. Attackers could exploit the vulnerability to add the cameras to a botnet or as a launching point for lateral movement deeper into the camera operator’s network. Cybersecurity company Fortinet said so late last year Point “numerous payloads attempting to exploit this vulnerability,” including one that appeared to recruit vulnerable cameras into the Moobot botnet, a variant of the Mirai botnet.
Cyfirma researchers analyzed a sample of approximately 285,000 Hikvision web servers worldwide. He revealed that more than 2,300 organizations in over 100 countries use cameras with open web ports. Nearly a third of the vulnerable cameras were in China and the United States, with each country responsible for 12,690 and 10,611 vulnerable devices, respectively.
Saurabh Lal, president of research and customer engagement at Cyfirma, told Information Security Media Group that these organizations are likely unaware of the device’s openness to online traffic.
“These ports aren’t monitored, validated, or tested, and they just add entry points to your porous attack surface,” says Lal. He says it’s an “implementation flaw” and that the companies have been “careless with the setup”.
In January 2022, the US Cybersecurity and Infrastructure Security Agency warned the vulnerability being actively exploited and urged organizations to fix immediately.
Cyfirma believes that Chinese threat groups such as MISSION2025/APT41, APT10 and its affiliates, as well as unknown Russian threat actor groups could potentially exploit unpatched security cameras.
“We observed leaking credentials of Hikvision camera products available for sale on Russian forums,” Cyfirma researchers say.
Hikvision is controlled by the Chinese government and is on several US federal government blacklists. The Federal Communications Commission in March 2021 classified company as a national security risk. U.S. citizens are barred from owning stock in the company under an executive order first signed by Donald Trump and amended by President Joe Biden in June 2021. The Department of Commerce submitted the company to intensive export controls in 2019 for participating in state surveillance of the Uyghur ethnic group in the Xinjiang Uyghur Autonomous Region.