Hacked DVRs Surge To 400,000

Author: Brian Karas, Published on Oct 19, 2016

The global internet is under attack from record breaking botnets. And it is getting worse, Mirai doubled in size in the last month.

Shamefully, the video surveillance industry is mostly to blame.

New Mirai Research

New research from Level 3 provides deeper insight into Mirai:

Prior to the Mirai source code release, we identified approximately 213,000 bots using this method.  Since the code release, multiple new Mirai botnets have accumulated an additional 280,000 bots, bringing the count of Mirai bots to 493,000.  The true number of actual bots may be higher based on an incomplete view of the infrastructure.

This would be bad enough, but the security industry, at the center of this growth, gets a black eye:

The majority of these bots are DVRs (>80percent)

And if you think these bots are outside of the US, in some country with unskilled installers leaving ports open you are wrong:

The highest fraction of devices used are located in the United States (29 percent) 

Level 3 Overview

Get Video Surveillance News In Your Inbox
Get Video Surveillance News In Your Inbox

Level 3 is a global network communications company, connecting the core of the internet, which also gives them an ability to observe and analyze internet traffic patterns. When botnets erupt, Level 3 inadvertently becomes becomes a pawn in their game, but they also get an ability to deconstruct how the botnet is propagating and being controlled.

The Problem Will Not Go Away On Its Own

Attackers have recognized that IoT devices, particularly DVRs, NVRs, security cameras, and related devices make ideal targets, in some cases the same device is exploited by multiple malware variants:

Of the hosts we are confident have been assimilated by the Mirai botnet, 24 percent of them overlap with bots known to be used in gafgyt attacks.  Such a high overlap indicates that multiple malware families are targeting the same pool of vulnerable IoT devices.

Gafgyt is an earlier botnet that Mirai is suspected to be based on.

As long as these devices remain insecure and exploitable, there is every reason to believe they will continue to be taken over by botnet malware, and that the complexity of the malware will evolve, possibly to scan local networks for other exploitable devices that do not have inbound ports open, but can communicate outbound as attackers.

Botnet Scanners Do Not Discriminate

The Mirai botnet relies heavily on Dahua and XiongMai, but a similar botnet could be built on exploitable Axis cameras, or ADI/Tri-Ed cameras that have not been upgraded

Test Your Network

An Nmap scan of your network can help identify open ports like telnet (port 23) or SSH (port 22) that typically are used by botnets for infection, and generally are not required for standard camera/recorder access. Our Nmap tutorial shows how to use Nmap and interpret the results.

Security Integrators Need To Take Action

Although security integrators may be able to justify ignoring Mirai, they are the best chance for stopping it from doubling in size yet again. Manufacturers are shipping exploitable products, and customers (especially those without dedicated IT departments) do not always understand the risks of connecting camera and recorders to the internet. This leaves the integrator stuck in the middle, as they often are, as the best resource to solve this problem and help save the reputation of the industry.

 

Vote

Comments (37): PRO Members only. Login. or Join.

Related Reports on Hacking

Last Day - IP Networking Course May 2017 on Apr 26, 2017
Today is the last day to register for the May IP Networking Course. This is the only networking course designed specifically for video...
Chinese 'Attacking Us From Every Direction', Says US FBI on Apr 25, 2017
"Chinese eating our lunch. Attacking us from every direction" said the US FBI's Deputy Director Andrew McCabe at the ASIS 2017 CSO Summit. .@FBI...
Dahua Manager: Lots of Backdoors Beyond Dahua or Hikvision on Mar 29, 2017
A Dahua technical manager has fired back at criticisms of Dahua's backdoor, posting publicly what many at Dahua have privately been saying for the...
Uniview Weak Local / Strong Remote Password Policy Tested on Mar 14, 2017
With the continuing onslaught of cyber-security breaches (see Dahua backdoor recently discovered, Hikvision defaulted devices getting hacked)...
Genetec Comments on Washington DC MPD Hack on Mar 13, 2017
This January, the Washington DC police video surveillance system was hacked with ransomware, impacting 123 of 187 cameras. Last month, IPVM...
Hikvision New Security Vulnerability on Mar 12, 2017
Hikvision has disclosed a new security vulnerability that affects 200+ of their IP cameras over the past few years. In this note, we examine the...
FLIR Responds to Dahua Backdoor on Mar 10, 2017
FLIR is the first Dahua OEM partner to issue a statement following Dahua's backdoor disclosure: Certain FLIR and Lorex branded products that...
Hikvision Firmware Decrypted on Mar 09, 2017
A developer has decrypted Hikvision's firmware, allowing examination of Hikvision's device source code and contents. In this report, we overview...
Dahua Backdoor Uncovered on Mar 06, 2017
A major cyber security vulnerability across many Dahua products has been discovered by an independent researcher, reported on IPVM, verified by...
Who Is Hacking Hikvision Devices? on Mar 06, 2017
Someone or organization is mass hacking Hikvision devices, actively and systematically running a script / program across the Internet that looks...

Most Recent Industry Reports

Avigilon Discontinuing Rialto Analytics Line on Apr 27, 2017
Avigilon is informing dealers/partners that the legacy VideoIQ Rialto products have been discontinued, recommending the newer ACC ES Analytics...
A Marketing Home Run For Knightscope - Man Attacks Robot on Apr 27, 2017
We criticize Knightscope regularly - their lack of revenue, their trying to fool mom 'n pop investors, their associating themselves with a clueless...
The World's First Fashion IP Camera From Amazon on Apr 27, 2017
Some analytics cameras can tell you if a person is jumping a fence, or loitering in a secure area, but none of them can tell you if the person...
Last Day - IP Networking Course May 2017 on Apr 26, 2017
Today is the last day to register for the May IP Networking Course. This is the only networking course designed specifically for video...
Hikvision EZVIZ Amazon Scam Revealed on Apr 26, 2017
Hikvision is violating US Federal Trade Commission guidelines and Amazon rules with a "Honest" Review Program scheme that provides gift cards to...
Anixter CEO Admits Price Deflation and Non-Exclusive Integrator Sales on Apr 26, 2017
Anixter's CEO has admitted to (1) price deflation impacting IP camera sales and (2) not always being 'exclusive' with security integrators. In...
Xandem Next Gen Intrusion Tested on Apr 26, 2017
Xandem's "full coverage motion tracking technology" is unlike any intrusion technology we have seen. We bought their new system and tested it...
Tri-Ed Favorability Results on Apr 25, 2017
Tri-Ed, owned by Anixter, far outranked Anixter, the lowest ranked company in our distributor favorability series. Still, Anixter's ownership did...
Eagle Eye Exec On Mountain Of Servers - VSaaS Growth Analysis on Apr 25, 2017
Eagle Eye VP of Operations, Hans Kahler, posted a picture of himself sitting on top of a shipment of new servers, as a testament to the companies...
Chinese 'Attacking Us From Every Direction', Says US FBI on Apr 25, 2017
"Chinese eating our lunch. Attacking us from every direction" said the US FBI's Deputy Director Andrew McCabe at the ASIS 2017 CSO Summit. .@FBI...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact