Chesapeake & Midlantic | 04/02/14 01:57pm
Update: this researcher says he found the same malware running on a router as well.
Chesapeake & Midlantic | 04/02/14 02:00pm
Update two: it's mining Litecoin, not Bitcoin.
Update three: this is what happens when everyone goes to ISC without me and I have too much coffee.
IPVMU Certified | 04/02/14 02:02pm
I am unclear on the mechanics of Bitcoin/digital currency miners. What do they do? Aren't these voluntary downloads?
Not sure if this is related to this incident but our spider just picked up a strange announcement from Hikvision:
"With the popularity of network video surveillance, more and more networking products are used in public networks, such as Network Video Recorders, Network Cameras, and Routers. But the public network environment is more vulnerable than internal network . You devices might be attacked by various viruses, like malicious network scanning if the devices are used in public networks without any modification of their default passwords .
We get to know some of our customers do not change the default passwords, which might cause heavy damages and losses.
Therefore, we hereby strongly recommend you to change the default passwords of the networking devices before using in public network."
It's weirdly vague and yet ominous.
FLIR Security | 04/02/14 05:35pm
It seems like the whole issue is an exploit in the Synology NAS (or their Surveillance Station application)....
Can anyone hazzard a guess as to why Hik boxes are the only DVRs they've found scanning port 5000 for vulnerable Synology boxes? The malware appears to be able to reside in various networked devices.... why no other DVRs?
Note: Hikvision contacted us and said that they will post an official response.
The Hikvision webpage our spider picked up as been removed and an earlier notice from Hikvision directly posted by a member was deleted, per their request.
For those of you concerned about security issues, the big threat right now is Heartbleed.
John- here is the official response:
Actions Taken Against Third Party Virus Causing Network Cameras Scanning Attacks
April 9th, 2014 – On November 26, 2013 Hikvision became aware of an alert regarding a continuous scanning attack that can potentially be launched by a limited number of our network cameras. Since then, we worked diligently to resolve the issue and address the users’ concerns. We investigated the IP address provided, as well as the devices involved, including network cameras and network DVRs. Upon thorough analysis, we determined that the reason for the scanning attack was a worm virus called Linux Darlloz.
The investigation discovered that all the network cameras infected with the virus were connected to the public internet without changing the default user name and password. The virus attempted to discover the password according to the password dictionary until cracking it. Upon implanting the script file, the network camera becomes a source of virus to attack the other network devices. After restarting the network camera, the script file will be eliminated, however the risk of being attacked is still there if no fix is adopted. The risk of virus attack is caused by the connection of devices to the public network directly without changing the default user name and password.
Problem Process and Tracking
Our company took immediate and decisive action after Symantec has detected the virus on Nov. 26, 2013. Since December 2013, firmware of all the network cameras and DVRs has been updated, and all the inventory products have been upgraded to protect them from being attacked by Linux Darlloz worm virus.
We took the following actions to enhance the security awareness of users to avoid the possibility of being attacked by such virus.
- Device on Public Network Security Notice was added to the bulletin board of our global website to notify users of the possible risks of using their devices on public network. We also asked the users to change the default password to avoid risks as the network attack and privacy leaking.
- Users can now download the firmware from our website to upgrade their devices to avoid the attack.
- Public network security awareness campaign targeting our partners and distributors was conducted through our partners and distributors. Distributor Monthly magazine, on-site communication, training, and other available communication channels.
With decades of experiences on the surveillance industry, Hikvision attaches great importance to network and information security. With the establishment of Hikvision Security Response Center, effective communications protocol and cooperation with National Computer Network Emergency Response Technical Team/Coordination Center of China (CNCERT/CC), the China National Vulnerability Database (CNVD) and other industry recognized critical infrastructure platforms we were able to increase the investment into internet applications security. Hikvision is dedicated to continuously improving the security of our products and solutions, and is committed to complete security assurance for the users. We thank you for your continuous support.
Hangzhou Hikvision Digital Technology Co., Ltd.
Appendix 1: Introduction of the Hikvision Security Response Center
The Hikvision Security Response Center is a platform which is dedicated to take feedback, handle and disclose the security flaws of the Hikvision products and solutions. Hikvision pays great importance on its own security, and has taken the user security as its responsibility since the day it is found.
- Hikvision pays great importance on security of the products and business. We promise that any feedback on the security flaw will be heard, analyzed and processed in time.
- Hikvision supports any responsible disclosure and process of the security flaw. We promise that we will protect the users’ interests and we will reward and be grateful for those who help us to improve the security quality.
- Hikvision objects and condemns the hacking action which damages the user’s interests taking flaw test as its excuse, including but not limited to the stealing of the user privacy and virtual property, hacking the business system, and maliciously spread the security flaws.
- Hikvision believes that the handling and process of every security flaw and the improvement of the whole surveillance industry cannot be separated with the cooperation of each party. Hikvision hopes to promote the cooperation with other enterprises of the industry, the Security Company and investigators to maintain the information security of the industry.
The Hikvision Security Response Center is built, and the related Chinese and international webpage is created to take feedbacks, handle and disclose the security flaws of the Hikvision products and solutions.
Build connection with the dark cloud website, National Internet emergency coordination center, the National Information Security Flaw Share Platform.
- Reporting Security Flaw
Please send email to HSRC@hikvision.com to report the security flaw.
- Reviewing Security Flaw
1) HIkvision Security Response Center of Hikvision will confirm and review the security flaw in one work day.
2) In three work day, the staff of Hikvision Security Response Center will handle the problem and get conclusion. If necessary, the staff may contact the reporter for assistance.
- Fixing Security Flaw
The time of fixing will be determined by the severity of the flaw and the difficulty of handling it. High risk flaw should be fixed in 24 hours, medium risk should be fixed within 3 work days, and low risk should be fixed in 7 work days. In case the security flaw is affected by the new version delivery, the fixing time will be determined according to real situation. Emergent security announcement will be published for severe security flaw.
Bob, thanks for the follow up. Can you elaborate on this section?
"Since December 2013, firmware of all the network cameras and DVRs has been updated, and all the inventory products have been upgraded to protect them from being attacked by Linux Darlloz worm virus."
Does that mean that people who have older Hikvision DVRs without the new firmware are still vulnerable to this virus (if they are using default passwords)? Also, if new firmware is needed to protect the units, where can that firmware be found / downloaded?
Chesapeake & Midlantic | 04/11/14 01:43pm
Bob, thanks for this thorough and detailed response.
Does Hikvision have any plans to force users to change the default password on initialization, as discussed previously?
Bob, which versions of the firmware are affected and which versions fix the problem?
FWIW, HikVision Camera firmware 5.1 has a date of 12/2/2013 (I upgraded my Hikvision Cameras to that Version in December)