Subscriber Discussion
Mirai Botnet Update 11-18-1
Did anyone see this? The headline containing "evolving" instantly makes me think of Skynet (from Terminator), Shodan (from System Shock), and whatever the heck the Matrix was about almost immediately.
It is interesting that the big Mirai botnet is splintering. I read an article last week that the minute a device is rebooted the Mirai "hack" is wiped, but it is instantly taken over by a new botnet. In a way the threat is shrinking each day.
11/19/16 02:44pm
I have a client with a very old Dahua based NVR that is no longer supported by Dahua. The firmware on this unit is vulnerable. I have changed all default passwords long ago. I also recently changed the inbound port from the default port. I am working on blocking all outbound traffic from the NVR and cameras that isn't going to approved destinations (NTP, SMTP, etc.)
While I'm unsure if it is infected with Mirai, the hacker always adds a new user account (Service) and leaves a note behind that the NVR was hacked. This isn't a new hack by any means. I just am unsure of a way to stop the hacks, short of replacing the unit, blocking it from the web entirely, or trying to white list every single inbound IP that is approved in the firewall. VPN is also on the table, but would likely end up costing more than the replacement NVR.
Jon -
Mirai is propagating via telnet, which there should be no reason to keep open. Make sure there is no port-forward for telnet, reboot the unit, and it should be clean.
What you are describing almost sounds like a different hack/vulnerability, which would be interesting to get more data on if that is true.
leaves a note behind that the NVR was hacked.
What does the note say? I am curious.
11/19/16 04:03pm
This particular hack has been around for a long time. The attacker creates a new user named "service" and leaves a note on the account "your_device_has_been_hacked_ple". If you Google that string, you will find some other people talking about this hack going back a few years.
Like I've been saying for a while now, Dahua exposures vastly outnumber any Hikvision issues.
11/19/16 04:18pm
https://depthsecurity.com/blog/dahua-dvr-authentication-bypass-cve-2013-6117
Jake Reynolds seems to be somewhat of an expert on the Dahua vulnerabilities. You may want to reach out to him.
Newest Discussions
| Discussion | Posts | Latest |
|---|---|---|
|
Started by
David Leinenbach
|
9
|
less than a minute by Brian Rhodes |
|
Started by
Sean Shepard
|
2
|
less than a minute by Brian Rhodes |
|
Started by
Undisclosed #1
|
3
|
28 minutes by Undisclosed #2 |
|
Started by
Undisclosed Integrator #1
|
7
|
18 minutes by Undisclosed Manufacturer #3 |
|
Started by
Brian Rhodes
|
1
|
less than a minute by Brian Rhodes |
