Subscriber Discussion
Move Over Dahua, Xiongmai Is The Real Botnet King
From a recent report by Flashpoint
Manufacturer of Upstream Devices Identified
While investigating the recent large-scale DDoS attacks against targets including Krebs On Security and OVH, Flashpoint identified the primary manufacturer of the devices that utilize the default username and password combination known as root and xc3511, respectively. These types of credentials exist all across the Internet and are commonly used via Telnet to access numerous types of DVRs. In fact, countless DVR manufacturers buy parts preloaded with Linux and rudimentary management software from a company called XiongMai Technologies, located in Hangzhou, China. This company sells white-labeled DVR, NVR and IP Camera boards and software to downstream vendors who then use it in their own products. Altogether, over five-hundred thousand devices on public IPs around the world appear susceptible to this vulnerability.
... In fact, the majority of media coverage surrounding Mirai has outed Dahua products as a primary source of compromised devices. However, Flashpoint’s analysis on the attack data shows that while Dahua devices are indeed being compromised, a very large percentage of these IP involved in the DDoS attacks were hosting XiongMai Technologies-based products. The Dahua devices were identified early because of their distinctive interface and recent use in other botnets.
10/07/16 10:32pm
Well... Damn.
Here I was ready to take all the shots necessary for my team >.>
That doesn't mean we can relax though. I'm still gonna hammer Dahua to get on a gigantic cybersecurity kick...in addition to making sure their smart codec isn't some weird proprietary isolated thing... and adding Control4 compatibility across the board.
Dahua...can you please hire more programmers and get your code on GitHub?
*sigh*
Good find, good share.
Some more info on XiongMai. The reason why XiongMai is so poorly known is that they provide modules / kits like so:
Here's a list of their IP All-In-One IP camera modules.
XiongMai, according to the people I spoke to, is the biggest provider in this space, and the most common provider for small 'manufacturers' / 'assemblers' that want a low cost / simple option.
What I have not figured out is how to determine who is using XiongMai (has to be a lot but not sure who). One person suggested tracking down MAC addresses / OUIs. I did a reverse OUI lookup with a few variants of XiongMai's name but did not see any matches.
Anyone have any input of who's using XiongMai?
Dahua really has been surpassed by XiongMai, take a look at this copy:
After the speech, discussion went into a climax state, wonderful summit forum ignited the sparks of thinking. The president of Hikvision Yangzhong Hu, CEO of Dahua LeiLiang, Chairman of Chuanggao security ChenLi, Chief engineer of Shideanlegrand were discussing fiercely around the theme of “ how to play when the intelligent household into <free> mode”. For the market of intelligent household is mess, what is the real meaning to the users?
The president of Hik and CEO of Dahua were fiercely sparking in a climatic discussion?
About how to play in the household? Sounds interesting.
Longse / Cantonk just sent a mailer emphasizing supporting XiongMai (XM):
Cantonk IP Camera Advantage:
*Hikvision & XM private protocol support
What I am not sure about is whether Longse / Cantonk uses XiongMai. Also, not sure how Longse / Cantonk is allowed to support Hikvision's private procotol. Any one with info here?
John,
Test results from 3 different XM camera modules might shed some light on why you couldn't find XM in the OUI database.
Each camera module tested identified its vendor as H264DVR while the OUI lookup did not.
Model OUI Company (as per Wireshark OUI Lookup Tool)
IPG-50H10-S 00:12:13 Metrohm AG
IPG-53H20-S 00:3E:0B "No Matches"
IPG-54H20PL-S 00:12:15 iStor Networks, Inc.
3 different modules with 3 different OUIs and none of them registered to XM.
(Note that even though the modules were obtained from 3 different sources, all 3 modules were received complete with attached XM part numbers, model numbers and bar codes.)
XM camera modules are easy to find on eBay also - there are many vendors. Searching for the XM model number will give you some direct hits. Searching for the SoC & imager part numbers (which you can get from the XM website) will give you many more.
Does anyone have an explanation for the XM OUIs?
Even if XM is actually manufacturing for Metrohm AG and iStor Networks (and therefore allowed to use their OUIs), what would be the explanation for the unlisted OUI (00:3E:0B)?
Newest Discussions
Discussion | Posts | Latest |
---|---|---|
Started by
Brian Rhodes
|
16
|
24 minutes by Undisclosed Integrator #2 |
Started by
Conor Healy
|
1
|
less than a minute by Conor Healy |
Started by
Carl Stoffers
|
3
|
less than a minute by Undisclosed Integrator #1 |
Started by
Katie Ferry
|
8
|
4 minutes by Undisclosed Integrator #2 |
Started by
Jermaine Wilson
|
5
|
less than a minute by Michael Miller |