Integrators - Any Client Concerns About Mirai?

We issued a stop-ship on all Dahua products until a reasonable resolution is produced. We've been asked to take down our "Stop-Ship" notice because it's hurting installer's business... People would rather ignore it it seems...

However, we feel it is our duty to keep "Security" in CCTV Security... so we're going to continue to do the right thing.

Weve had some questions and we have also issued a statement to all clients with best practices and informing of some of the details of Mirai. WE are going out and redoing several things on our systems and anyone with a sewrvice agreement is getting taken care of immediately and proactively. WE are pushing them a way from open ports if possible and of course updating firmware and scheduling reboots.

We have been concerned. Remember, the vulnerability is not from port forwarding, but with client computers that are on the same subnet or can route to the subnet where your iot devices are located. All it takes is a "click this link" from an unsuspecting user. You can update firmware, but the problem is still there with a potential future update from the hacker for additional vulnerabilities. Of course default passwords are susceptible, but so are devices with reported back door credentials publicized and open telnet ports.

We are seeing some suspicious outages and problems currently that are a concern. Most involve Axis products 0-5 years old. A report in July outlining the backdoor security vulnerability would be too tempting for the active hacker with an infection on the inside and device gateway and dns access to the outside. There are quite a few devices, other than Dahua, on the vulnerable reports.

Dont sleep on this and think it is based on direct port forwarding or dmz access to the devices themselves. Come up with a documented plan for your company to notify customers and address this. Many devices may be already infected without your knowledge. Monitor your firewall logs for peculiar activity. Look at camera logs for access by other sources than the vms server.

One more thing, now that my blood pressure is rising. It is known that there are concerns from manufacturers such as acti, samsung, toshiba, axis, iqeye, videoiq, dahua, mobotix, and vivotek. Perhaps the dahua vulnerability was only an isolated test of the capabilities. Cmon, a dns factory in Manchester NH. If these or other manufacturers know about potential vulnerabilities, what better place to post a "how to check" than IPVM. I bet they are holding their breathes like the bankers were in 2008. Hikvision is the only company that made a visit to our office and provided a webinar related to cybersecurity, and actually discussed all of their security vulnerabilities the last couple of years and their errors that caused them, as well as the corrections that were made.

Man up, manufacturers. The crisis is not over.

From what I have researched, so far, the Mirai botnet also affects user PCs, mainly through user actions (links, attachements, etc). Once this occurs, the PC will scan its accessible network for IoT devices (cameras, thermostats, etc) on its "hit" list. I am not a hacker, but I assume that once the computer is infected, with a malware application that embeds this or maybe other such botnets, future updates or commands can be uploaded. To disbelieve this or even the chance that this could and does occur is negligent on our part. Hackers are some of the brightest programmers on the planet and they are looking for any "back door" to vulnerable devices, that they can. I can not believe that all of the hundreds of thousands of infected devices are assigned public addresses or are configured on NAT routers as DMZ. I have installed thousands of IP cameras, and have never seen an instance or request where I would do a complete DMZ port forward (which includes telnet). Still, if this does occur, that device will spread into the LAN to all other devices.

-------------------

The malware, dubbed “Mirai,” spreads to vulnerable devices by continuously scanning the Internet for IoT systems protected by factory default or hard-coded usernames and passwords. It can invade the PC silently and steal all information such as username, IP address, login details, credit card number, debit card number, PIN number, phone number and more for illegal purpose. Your computer acts very slow as well as Internet speed. The Mirai malware continuously scans all Internet for vulnerable IoT devices, to the purpose of infected and used in botnet attacks. It has ability to uses 62 common default usernames and passwords in order to scan for vulnerable devices. Because many IoT devices are not secured for this rubbish. It also allows the bot to access hundreds of thousands of devices. The creator of Mirai Botnet claimed around 380,000 IoT devices were enslaved by the Mirai malware in the attack on Krebs’ website. Its features are segmented command-and-control, that is allows the botnet to launch simultaneous DDoS attacks. So, it is very important to get rid of Mirai Botnet from the PC as soon as possible.

Brian,

There have been reports of threat actors already modifying the code of Mirai. Do you believe it is not possible that one of these botnets can not be integrated with infected pcs to act as a satellite command and control to distribute? If I was a hacker, scanning and infecting from the inside would be the cats meow with this, as probably 99.99 percent of vulnerable devices reside there, without upnp, dmz, or direct internet access.

I like to think it the what will/can happen, not what is/was, and it is logical it is/will. I am just reacting right now in the "may".

Also, I see that sierra already reports vulnerability on their routers. How many comcast/time warner modems/routers are at risk, also. Most I have seen include the manufacturers default credentials. There are many millions of these out there, of various brands, most will default credentials.

(in a rat infested basement on the outskirts of Moscow).

"Comrades, when you are finished with your LOL games, I have a task for you. You know all those American computers we control, you know, the ones with the 3 year expired Norton 90 day trial software. Clever how we put the "free lifetime Krispy Kreme donuts" link in the Longse spam mail. I just got off the phone with Comrade Donald. He would like me to upload that magical code I have been modifying the last week, ASAP, and set it to deploy next Monday night, with a botnet activation time for DNS disruption of Tuesday 0800 hours".

I had a client bring it up today. It was the head of the IT dept. He was talking about locking down the firewall some more just to be sure. I told him his greatest threat was from his internal network. They have a guest wireless network that could be a way in. We have sold them some Dahua OEM cameras that have upgraded firmwares and complex passwords, so the risk is minimal. They also tightly monitor all traffic thru the firewall, in both directions. He has several honeypots and SMB shares with fake files that he monitors for access. Lots of automated scripts that can close down switches or individual ports as threats are detected.