There is no evidence that points to the hackers specifically targeting surveillance equipment, or Genetec, nor did they have any interest in the live or recorded video on the recorders.
Yes, just targeting Windows.
Washington DC Surveillance Hackers Arrested
Published Dec 29, 2017 13:56 PM
The US Department of Justice has announced that "Two Romanian Suspects Charged With Hacking of Metropolitan Police Department Surveillance Cameras in Connection with Ransomware Scheme" that occurred in January 2017.
IPVM initially covered the technical details in March 2017 examining Washington DC MPD's Surveillance Equipment.
In this note, we examine the criminal complaint affidavit, new information provided and the role the vendors involved, including Avrio and Genetec, had on this hack.
Recorders **** *** ********** *******
** ********* ********* *********, *** ****** ******* ******* *** two ******** **** ****** ********* ** launch ** ***** **** ******** ** distribute **********. *** ********** ******* **** launched **** *** *********** ******** ** an ******* ** *** ******* ** disguise ***** ****** ******** *** **** it ****** ** ** ****** ** authorities.
Hackers *** ********** ** ************ *** *******
***** ** ** ******** **** ****** to *** ******* ************ ********* ************ equipment, ** *******, *** *** **** **** any ******** ** *** **** ** recorded ***** ** *** *********. ** is ****** *** ******* **** ******* the ******* **** ***** *** ******** by *** *** *** **** *** city ************, ** *** **** **** aware ** ****, **** ***** **** likely ****** ** *** ******** **** would ** **** ****** ** ***** an ************* ********.
Equipment ****
** ********* ** ********** ** ***'* ************ *********, *** ******* ********** ** *** system ****:
Integrator *****
*****, *** **********/*** **** ***** *** systems **** ** *** *** *********** ** ******* ** ****. *********** *********, ***** ********** ********** ** "*** ******'* premier ******** ** **-************ ********* **** wireless ********", *** "********** *******":
****** ***********, **************, *** ******* **********-******** customers **** *****'* ****** ******** ****.
Remote ******* ****** ********* *******
*** (****** ******* ********) *** **** by *** ******* *** ****** ******* of *** ****** *********. ****** *** installed ** *** *******, *** *** blocked ** * ******** *** ****** the ******'* ******* ********** ** ********* these *******. ** ***** ********** ** cyber-criminals, *** ****** ******* ***** *** following **** ** *** ** *** hackers, ******* *** "*********" ** ******** with *** *******:
Low **** ******* **** ** ***** *******
********** *** ******* **** ****** ** using ******** ***** ** **** ** the ****** *********, *** ******* ***** accounts **** ** **** *******. *** Secret ******* *** **** ** **** ***** email ******** ** ***** ********, *** access ** ******* **** ****** *** other *********, ***** ********** *** **** ** the ******* ****** ********** *** *********. Based ** *** *********** ** *** Secret ******* ******, *** ******* **** moderate, *** *** *********, ***** ** conceal ***** ********** *** ********, *** were ******** ********* ******* ***** *******, and *** *** ****** ** *** kind ** **** **** ******** *******.
************, ******* ******** ** **** *** information **** ** *** *********, *** Secret ******* *** **** ** ******** some ******* ** *** *******, *** contacted ***** ******* ** ******** ********** details **** ****** ** ******** *** hackers:
Responsibility ** ******* *** ***********
***** **** ********* * *********** ****** involved:
- ******* ******* *** *** ********** **** ******* settings *** ******** ** *** ******* OS, ******** *** ******* ** **** risk. ******* *** ***** ******* ******** **** ******* settings *** *** ********** *** **** for ********* ** ****** ********* *************** for ***** ******* [**** ** ****** available].
- *** ******* **** **** ******** ********** and *** *** *** * ***, a ******* ********* ** ************** ******* ****. *** *** ****** ***** ************ system, *** ********* *** ** *******, exposing *** ******* ** ****** ****** was * ***** *******. *****'* ***** led ********* ** ******* **** **** were ********** ****-**-***** *** *******-***** ********* optimized *** **** ******** ************, **** in **** **** ******** ******* **** multiple *************** ******* *** ********* ******* settings *** **** ** ****** ************.
Comments (8)
U
Undisclosed #1
Dec 29, 2017UI
Undisclosed Integrator #2
Dec 29, 2017I would say it was targeting stupidity, or laziness, more than Windows. How long would you guess it has been since those Server have been updated?
UI
Undisclosed Integrator #3
Jan 01, 2018This will probably be enough to get my boss to listen to me. Thanks for sharing.
John Day
Jan 02, 2018I'm floored that the customer didn't require the contractor to use a VPN and that the hackers used rdp to get in - that's almost as low tech as using default passwords!
At what point do we actually use the word "negligent"? What I'd love to know is whether there was anything in the specification requiring any baseline of network security or whether this was purely the integrator leaving the system open.
Unfortunately whoever is at fault would probably claim (correctly) that this is an accepted practice in the security business.
U
Undisclosed #1
Jan 02, 2018Do you think an exposed rdp port is more or less vulnerable than a cameras exposed http port?
Scott Napier
Jan 02, 2018I would say they are close to no different, but RDP is probably scanned for more frequently which means is it probably more of a vulnerability if my assumption is correct.
UI
Undisclosed Integrator #3
Jan 02, 2018I would argue that depending on a contractor to secure your critical networks is a bad idea from the start. You should have competent professionals on staff to not only enforce standards on these contractors, but also to test what they install and verify it meets all appropriate protective measures.
John Day
Jan 02, 2018Both are an issue - if the bad guy knows rdp vulnerabilities then he can probably get everything he needs to know off a service like Shodan. A hack using rdp would likely give the bad guy full control of the system in question - a hack of a camera would usually only give you access to the device.
Which is more vulnerable? Based on a quick Shodan search, cameras are certainly more plentiful... a rdp hack would be more destructive.
The issue with this is that anything (like RDP) that isn't essential to the operation of the system should be blocked by the firewall.