Hacked DVRs Surge To 400,000

Author: Brian Karas, Published on Oct 19, 2016

The global internet is under attack from record breaking botnets. And it is getting worse, Mirai doubled in size in the last month.

Shamefully, the video surveillance industry is mostly to blame.

New Mirai Research

New research from Level 3 provides deeper insight into Mirai:

Prior to the Mirai source code release, we identified approximately 213,000 bots using this method.  Since the code release, multiple new Mirai botnets have accumulated an additional 280,000 bots, bringing the count of Mirai bots to 493,000.  The true number of actual bots may be higher based on an incomplete view of the infrastructure.

This would be bad enough, but the security industry, at the center of this growth, gets a black eye:

The majority of these bots are DVRs (>80percent)

And if you think these bots are outside of the US, in some country with unskilled installers leaving ports open you are wrong:

The highest fraction of devices used are located in the United States (29 percent) 

Level 3 Overview

Get Video Surveillance News In Your Inbox
Get Video Surveillance News In Your Inbox

Level 3 is a global network communications company, connecting the core of the internet, which also gives them an ability to observe and analyze internet traffic patterns. When botnets erupt, Level 3 inadvertently becomes becomes a pawn in their game, but they also get an ability to deconstruct how the botnet is propagating and being controlled.

The Problem Will Not Go Away On Its Own

Attackers have recognized that IoT devices, particularly DVRs, NVRs, security cameras, and related devices make ideal targets, in some cases the same device is exploited by multiple malware variants:

Of the hosts we are confident have been assimilated by the Mirai botnet, 24 percent of them overlap with bots known to be used in gafgyt attacks.  Such a high overlap indicates that multiple malware families are targeting the same pool of vulnerable IoT devices.

Gafgyt is an earlier botnet that Mirai is suspected to be based on.

As long as these devices remain insecure and exploitable, there is every reason to believe they will continue to be taken over by botnet malware, and that the complexity of the malware will evolve, possibly to scan local networks for other exploitable devices that do not have inbound ports open, but can communicate outbound as attackers.

Botnet Scanners Do Not Discriminate

The Mirai botnet relies heavily on Dahua and XiongMai, but a similar botnet could be built on exploitable Axis cameras, or ADI/Tri-Ed cameras that have not been upgraded

Test Your Network

An Nmap scan of your network can help identify open ports like telnet (port 23) or SSH (port 22) that typically are used by botnets for infection, and generally are not required for standard camera/recorder access. Our Nmap tutorial shows how to use Nmap and interpret the results.

Security Integrators Need To Take Action

Although security integrators may be able to justify ignoring Mirai, they are the best chance for stopping it from doubling in size yet again. Manufacturers are shipping exploitable products, and customers (especially those without dedicated IT departments) do not always understand the risks of connecting camera and recorders to the internet. This leaves the integrator stuck in the middle, as they often are, as the best resource to solve this problem and help save the reputation of the industry.

 

Vote

Comments (37): PRO Members only. Login. or Join.

Related Reports on Hacking

Hikvision Barred From US City Housing Authority Bid on Feb 14, 2017
A US city's housing authority has barred Hikvision products from their bid, due to 'increasing security concerns.' In the past few...
Hikvision Pledges 'Never' 'Backdoors' on Jan 27, 2017
With criticisms rising, Hikvision has gone on the record publicly declaring: Hikvision never has, does or would intentionally contribute to...
Suffering Criticism, Hikvision Keeps Insecure Online Service Up [Now Down] on Jan 03, 2017
Hikvision suffered severe criticisms for its abrupt plan to discontinue its Hikvision Online service, with 3 core functions to be removed on Dec...
Hikvision Discontinuing Online Service on Dec 12, 2016
Hikvision has declared it will discontinue its Hikvision online service, just days after IPVM's Hikvision Cloud Security Vulnerability...
Sony IP Camera Backdoor Uncovered on Dec 06, 2016
A backdoor has been uncovered in ~80 Sony IP camera models, attackers can remotely enable telnet on the camera, and then potentially login as root,...
XiongMai Master Password List Emailed By Chinese Spammer on Dec 05, 2016
XiongMai created an international uproar as their devices drove massive botnet attacks of major Internet sites. After pledging to recall cameras...
Hikvision Cloud Security Vulnerability Uncovered on Dec 05, 2016
A security researcher uncovered a critical vulnerability in Hikvision's global cloud servers. This vulnerability allowed an attacker to remotely...
Hikvision 'Phone Home' Raises Security Fears on Nov 10, 2016
The escalating attention towards Hikvision's China government ownership and Genetec's removal of Hikvision due to cyber security concerns has...
Genetec Expels Hikvision on Nov 08, 2016
Genetec has removed support for Hikvision devices, deeming them 'untrustworthy', citing customer concerns about Chinese government ownership /...
Now Knocking A Country Offline - The Video Surveillance Driven Botnet Wreaks Havok on Nov 03, 2016
The video surveillance driven botnet is now attacking an entire country. The Mirai malware that took advantage of poor security in Xiongmai, Dahua...

Most Recent Industry Reports

Hikvision Pyronix Releases 'Huge' New Panel on Feb 27, 2017
Hikvision's 2016 acquisition Pyronix has been touting their 'huge' new large system panel. Indeed, the new Euro 280 claims features that are better...
Bosch Favorability Results on Feb 27, 2017
Bosch is one of the most well known brands in the industry and they have combined recently with Sony in video surveillance. But how has Bosch...
ADT CEO: My Daughters Better At Installs Than Most 20 Year Techs on Feb 27, 2017
Times have changed. At the Barnes Buchanan conference, ADT's CEO Tim Whall made an interesting and, surely to some, controversial observation....
Avigilon Favorability Results on Feb 27, 2017
One of the fastest growing companies has turned into one of the rockiest, as cooling growth, management turnover and a roller coaster stock price...
Honeywell Sues Alarm.com For Violating Anti-Trust Laws on Feb 24, 2017
Is Alarm.com about to dominate the smart home software market? That is what Honeywell alleges in its new lawsuit, first reported by...
Axis: "Everything is IP" - False on Feb 24, 2017
Axis is congratulating itself, with executive Fredrick Nilsson declaring: "Now the conversion is all done and everything is IP and analog is...
Advertising Like Avigilon at the ISC West Airport on Feb 24, 2017
Avigilon has grabbed a lot of attention over the last few years advertising at the Las Vegas airport when attendees fly in. But how does that...
Artificial Intelligence Robot Assistant (ACTi) on Feb 23, 2017
Has artificial intelligence come to the video surveillance industry? ACTi has released 'SARA' which it bills as an 'AI assistant that brings...
Cutting Costs 70% Using Milestone With HD Analog on Feb 23, 2017
HD analog and enterprise VMSes are often thought of as being on opposite sides of the spectrum, with HD analog best for small jobs due to its low...
Dahua 4K HD Analog Cameras Announced on Feb 23, 2017
HD analog has been gaining popularity (even if Axis hopes otherwise). Last year, HD analog's max resolution doubled from 1080p to 4MP (see our 4MP...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact