Subscriber Discussion

Mirai Botnet Update 11-18-1

UI
Undisclosed Integrator #1
Nov 19, 2016

Did anyone see this?  The headline containing "evolving" instantly makes me think of Skynet (from Terminator), Shodan (from System Shock), and whatever the heck the Matrix was about almost immediately.

It is interesting that the big Mirai botnet is splintering.  I read an article last week that the minute a device is rebooted the Mirai "hack" is wiped, but it is instantly taken over by a new botnet.  In a way the threat is shrinking each day.

Avatar
Jon Dillabaugh
Nov 19, 2016
Pro Focus LLC

I have a client with a very old Dahua based NVR that is no longer supported by Dahua. The firmware on this unit is vulnerable. I have changed all default passwords long ago. I also recently changed the inbound port from the default port. I am working on blocking all outbound traffic from the NVR and cameras that isn't going to approved destinations (NTP, SMTP, etc.)

While I'm unsure if it is infected with Mirai, the hacker always adds a new user account (Service) and leaves a note behind that the NVR was hacked. This isn't a new hack by any means. I just am unsure of a way to stop the hacks, short of replacing the unit, blocking it from the web entirely, or trying to white list every single inbound IP that is approved in the firewall. VPN is also on the table, but would likely end up costing more than the replacement NVR.

(1)
Avatar
Brian Karas
Nov 19, 2016
IPVM

Jon -

Mirai is propagating via telnet, which there should be no reason to keep open. Make sure there is no port-forward for telnet, reboot the unit, and it should be clean.

What you are describing almost sounds like a different hack/vulnerability, which would be interesting to get more data on if that is true.

JH
John Honovich
Nov 19, 2016
IPVM

leaves a note behind that the NVR was hacked.

What does the note say? I am curious.

U
Undisclosed #2
Nov 19, 2016
IPVMU Certified

And how long does it take to be infected, on average?

JH
John Honovich
Nov 19, 2016
IPVM

Related, this was on Twitter yesterday, infected in 98 seconds.

Avatar
Jon Dillabaugh
Nov 19, 2016
Pro Focus LLC

This particular hack has been around for a long time. The attacker creates a new user named "service" and leaves a note on the account "your_device_has_been_hacked_ple". If you Google that string, you will find some other people talking about this hack going back a few years.

Like I've been saying for a while now, Dahua exposures vastly outnumber any Hikvision issues.

JH
John Honovich
Nov 19, 2016
IPVM
Avatar
Jon Dillabaugh
Nov 19, 2016
Pro Focus LLC

https://depthsecurity.com/blog/dahua-dvr-authentication-bypass-cve-2013-6117

Jake Reynolds seems to be somewhat of an expert on the Dahua vulnerabilities. You may want to reach out to him.

New discussion

Ask questions and get answers to your physical security questions from IPVM team members and fellow subscribers.

Newest discussions