Botnet Leverages Hikvision Critical Vulnerability For DDoS Attacks And "Extracting Sensitive Data From Victims"
A Mirai-based botnet, Moobot, is targeting devices left vulnerable following Hikvision's 9.8 critical vulnerability in September 2021. The attacks include "extracting sensitive data from victims", which Hikvision argued recently was "literally impossible".
Cybersecurity concerns are a long-standing issue for Hikvision. The 2019 NDAA banned federal use of its products and the US government is planning to ban further FCC authorizations.
In this report, we look at the Moobot botnet, how it works, what devices are impacted, and Hikvision's response.
**********
**** ********* ************* ** ********** ************ for ********* ***** ** ***** **** control ** *** ******,** *** ********** *** ********** ** explained:
**** ******* ** ******** ** **** full ******* ** ****** **** ** unrestricted **** *****, ***** ** *** more ****** **** **** *** ***** of *** ****** *** ** **** are ********** ** * ******* “********* shell” (***) ***** ******* ***** ** a ********** *** ** *******, ****** informational ********.
Discovered ** ********
************* ************ ******* *** ********* *** ******** of ****** ** **** **** ****. ***** *********'* ********** *****-****-*****, ******** ********* ** ********* ********** signature *** *** *************, ********* ********* behavior ********** *** ************* ** *** process.
How ** *****
********* ******* *** ********* ***** ***-****-*****, allowing ********* ** *** ******** ******* authorization. ** **** ****, *** ******** sends ******** ** ********* **** **** a ***, ***** ****:
*** ******* ***** ******* "*********" *** then ******** *** **** **** * downloader **** ******** *** **** *** Moobot ******.
********'* ************ ***** *** ******* *******:
**** ********, ********* ******* *** ** used, ***** **** ***** ******** *******, to ******* **** *******. ****** * DDoS ******, *** ****** ** *********** with ***** ******** **** *** ****** and *** *** ****** ********** ********.
************, *********** ** ******** ***** **** a **** ******* ******** ** ******* the *** ** ***** ******* ** telegram.
"Extracting ********* **** **** *******"
** ******** ** ********* ******* ** other *******, *** ******
** ******** ******** ******** ********** ** leverage **** ************* ** ******* *** status ** ******* **extracting ********* **** **** *******. One payload in particular caught our attention. It tries to drop a downloader that exhibits ********* ******** [emphasis added]
***** ******** **** *** ****** **** specific **** ** ***** *********, **** is *************** *** ** ******** ** do ******* *** ************* ***** **** control **** *** ******.
"Literally **********," **** *********
******* **** ********* *********, *********'* ***/*** Fred ********** **** ******* **** **** that **** ******* ***** ** ********* impossible, ********:
*** ***-***** *** *** ***** ******* are *********** *** *** ****/***** ******* they ********. ** ***** *****, ****’** the **** ********** *** ******* *** data *** ******* *** ***** *******, which ** ******* ******** ** ** kept *******. ****** ****** ** ***** footage ** ***** ******* ** ********** without *** ******* ** *** ***-****.
**** ***** ******** *********'* ******** ****:
Affected *******
** *** ********, ***** *** * vast ****** ** ********* ******* ******** accessible **** *** ** *********. ***** the ***** ****** ** ********* ******* being ********* ** ****** ** *******, Shodan ***** *+ ******* ********* ******* available ** *** ****** ********, ****** this **** *** ******* ****/**********.
***** *** ******* ** ******* **** were ******** ** **** ******** *************, including **** *******, ****, *********, ***. before ****/**** ****, ** ** ******** that ****** ***** ******* ******** ** thousands ** **** * ******* *********** Hikvision *******.
Moobot *** **** ********* *******
**** **** ****** ** *** * new ****** *** ******* ****** ********'* discovery ** ********* ******* ***** *********. It *** ***** ******** ****** ****, ********* ********/***** ****** ******* *** IoT ********.
** ** ******* **** *** **** devices ****** ********, *** *** ******** of *********** * ******* ** **** vulnerable ********* ******* ***** ** **** larger *** **** *********.
Surveillance ****** *******
***** ******* ********** ********** ************ ******* have **** **** ** ******* ****-******* DDoS *******, ************ **************** ** ****** *******'* ******** *******. ***** * *****-***** *******,********, *** ***** ********** ********* ********/*** cameras.
***** *** ********* ** ****** ******* million ******* ** *** ******** ****. Moobot *** *********** ****** **** ****, given *** ***** ** ********* ******* impacted.
************, *****-***** ******* *** ****-***********, ******* that **** ************ **** *** ********** vulnerable *******. ** ******** *** ** in ***** ********:
******** * ***** *** **** ******** to ******* **** *************, **** *** botnet **** ***** **** ******* *** a ********** *** *****.
**** ***** ******** ******* ******** ** reducing *** ******'* ****/******.
Hikvision ******** ** *******
*********'* ****** ************** *** ** ************ **** **************** ****** **** **** ******* ** comment.
************ ************* ********* ** ******* ** ******* ***** susceptible ** ****** *** **** ******* being *********, ******** ********* *** ***** users ** ********** *** ******** ** CVE-2021-36260.
Hikvision **** ********** ************** *****
********* ********* ** ************* ********** *** "***** *** ****** access" ** "*** ** *** ********* fail":
** *** ** *** ********* **** to **** *** ***** ** *****, who **** ** **** * ***** and ****** ****** ** *** ********* port ******* ** *** ****** ******* the ********, ***** *** **** ** choose *** *********** '**** **********' ******.
************************* ***** *** *********** ** *** surveys, **** **** ********** ***** ********* steady **** *** **** ******* *****, despite *** ****-***** ******** *****.
*********'* **************, ******* **** *** *********** complaints, ** ****** ** ********** ** exploits **** ** ****** *** *** foreseeable ******.
Compound ******* *** *********
*** ************ ** ********* ******* ** Moobot *********** *** ******** ** *********'* cybersecurity *****. ******* ** ******** *** remedy ***** ******** ******** ************* ****** it ***** ** *********, ******* ***** alleged**,*** *&* *********, *** ********.
************, ********* ******* ** ************ ****** users ** *** ******** ** *** vulnerability (*** ******* * ********** **** a *******), *** *** *** ** potentially ******** ** ******* ***** ******** to ****** ******.
*'** ********* **** ** ** ***** to **** *** **** *** ******* at *** ******** ****** ** *****. Besides, ********* ** ******* ** ******** time ****** **** ** *** ***.
*******, ********* ** ******* ** ******** time ****** **** ** *** ***
*** ********* *** **** ** *** world ****.
*** ******** *** ****** ******** *** others ** *** ****. ****** ****** license **** *** *** **** ** a ****** ** *** *********** ****** you **** **** **** ** ****. That ** *** **** **** *** market ***** *** ** ********.**** ******* to ***** ************* *** ***** ***************, i ** **** ******* **** **** their ***** ** *************** ***.********... ** not ****** **** ******* ** *** internet. ** *** ** *** **** how, **** ******* *** ****.
** *** ******* **** ********* *** cyber ******** ****** ** **** *** fact **'* **** ** ** ********** by *****? ****** ******** **** *'* kind ** ***** ** *** *********. We *** ****** ** ****** **** in ***** ******'* *** ** ** it ** ******* ** * ********* mandate ******* ** *** ********* **** we ******'* **** *****? ** **'* about *** ********** *** ** ******* force ***** *** ******** ******* **** firmware/software ** ** **** *** **** "verified" **** *** ****** **** **** calling *** ** ******* ** *****? Could ** ******* ****?
*** ****** ****** ** *** ** both *********. *** **** **** ***** programmers ********** ********* ** ****** ** a ****** ******** ****** ** ****** malice, ** *********. **** **** ****.
****** *** ** ***** **** ********* is ***** ** ** ************ ** multiple ***** ******* ********* *** *** just ***** ** ** *** **** BS ***** **** *** ****** ***. Thus *** ***** *********.
*, *** ***, ************* * **** ************* ******** *** resulted ** * **** ************* *******.
* **** ***** **** * ***** national ********** **** *** ** ****** like **** *** ****** * ***** national *********, ** ** **** ********* to ***** ** **** ******* *** the **** ** **** ***** ****** arise. **** *** ********** ****-******** *******, similar ** *** **** ******** ******** operate, ***** **** ***** * ****** on * *** ******** (*****, ******, monthly), *** **** ******** *** ******* the ****** ** ***** ***, ******** that *** ******* *** ******* ******* having ** **** * ***** ** each ******** *** ****** **** ******* which ***** **** ******** *******. ** course, ***** ** *** *********** ** an ****** ***** ***** *** ****** down *** ******, ** *** ****** occurring ** ** *********** ****....
* ********** ******'* **** *********** **** equipment ******* **** ** *****....
***** *** **** *********** ** ******* home ** *** ***? ** ******? or ******? ** **? ** ***********? Are *** ********** ******* **** ***** manufacturers ****'* ******* **** ***** *********** to ******* ****** ******, **** ******.
***** *** *********/***** *** ***** **** can ****** *********, ******** *** ************ on * ********** *****. **** *** not *** ******** **** ******* ****** counts *** **** *** **** ** manage **+ ******* **** ** ******* they *** * ******** **** *** a ******** *****.
****/***** ********* = $$$.
*'* *** ****** ** ****** *********, but *** *** **** ** ******** the ******* ****** ******* **** ******* that ********* *********** ********* *** ***** and ******** * ***** *** **** day. *** ** ******* **** *** other ********* ***** ** **** ** do *** ****? **** ***** ******** argue **** *** ***** ********* ***'* have ***** ************* ******, *** * think **'* **** *** **** **** their ****** *****'* **** ********** ***...
**** ********* ******:
"********* ** * *** *** *** quickly ******** *** *** ******,***-****-******** ******** * ***** *** *** vulnerability ** *** **** *** ** the ****** **********’* **********."
**** ******* **** ********* *********** ********* the ***** *** ******** * ***** the **** ***
**** ** ********* *****. ** **** Hikvision ****** * ****** ** ******* a ***,**** *** **********'* ******************* *** *** *****:
**'* ********** **** ******** *** ** publicly ****** **** *************** **** *** it ***** ****** *** ** ******* the ************* *** *** ***** **** it ******** *** ****** ** ** at *** *** ** *** ****** -********* *** "******* ***** ** ******** Vulnerability," ********* ***+ ******* *******
***** * *******'* **** **** ** own ***** ** * ********, *** the **** * ******** ** (*****) was ****** **** ********* ****.
"********* ** * *** *** *** quickly ******** *** *** ******,***-****-******** ******** * ***** *** *** vulnerability ** *** **** *** ** the ****** **********’* **********."
** ** **** ********* * ****** to ******* *** *** (** *** timeline *****), ******'* ** ** **** to ***** ** *** ******* **** the ******** ******* ** *** ******** report *********** *****(***** ***'** **** ****** ** ** in **** *******?).
* ***'* ******* **** **** ***** report ****** ** ** ** ******* (maybe * ******), ** * ******* appreciate ** ******** ***** ******* ** the **** *******.
********'* ****** ** *** ********* *****. When ** **** "**** *** ** the ****** **********'* **********", ** ***** the *** *********** **** ******. **** was *** *** *** ******* **** released. *******, ** **** *****, *********** had ********** **** **** ******* ****** before.
*** ****:
********* *********** ********* *** ***** *** released * ***** *** **** ***.
******** ****:
******** * ***** *** *** ************* on *** **** *** ** *** threat **********’* **********
**** ******** **** ** *** "********* false", **** ******** *** ***** *** same *** ** *** ********** ********* but ********* *** *** ** ** "immediately" ** *** *******.
** ***'* ******* ***** ****** ** the ****** *** **'** ***** ** clarify ****** **** *********** ***** ********* or ********.
********* *********** ********* *** ***** *** released * ***** *** **** ***. Are ** ******* **** *** ***** companies ***** ** **** ** ** the ****?
** ** *****, **** *** ************ **********(**************'* ********). *** ************* *** ******** ** them ** **** **, *** *********** waited ***** ********* *** *** ***** to ** ****** *** ******** ****** they **** ********* *** ******* ** September **. **** ** * ****** common *** ** **** **** ***************. For *******, ** *******, **** *** Nozomi ********** ****** ***************, *** **** *** ******* **** working ** *** *** *** **** time - ********-** ******** *** ******** ** ******, **** ****** *** ************.
************** ****** ************ ******* *** ******* **** ** 3 ******, ***** *** **** ***** of ******** ********. *** ** *** can ***, **** ** *** * case ** ********* ******** *** * patch *** ** *** ***. *** even *****.
**** ***** ******** ***** **** *** other ********* ***'* **** ***** ************* issues, *** * ***** **'* **** the **** **** ***** ****** *****'* been ********** ***
*** ****'********** ** ***** ************ ************* *************** and ********. ***** ********* ** **** ***************. Do **** **** ******** ***************? * will ***** *** **** *** ***'* see ******* ** **** ** ***** or ******** ******* (** *** ** I've ****, ****** - ** ******** has, **** ****** ****** ****). **** of **** ** ******* ********* ******* are **** ******* ****, ****, "*************" who ****** **** **********. *** ******* part ** **** **** ***** ** have ****** ******** *********, **** ******** ** **** *** *********** ** audit ***** ****.
** *** ** ****** *** ****** world, *** **** **** *********** ** ********-***** *******, *** *******, and ******. * ***** ***** **** ***** devices *** *** **** ****** ** botnets, ******* **** *** *) ******, 2) ******* ** *** ********, *) made *******, *** *) ********** ** non-professionals. *** ******** ***'* **** **** Cisco ******* ** ******* [******** ******], even ****** ****'** *** ***************. **'* probably * ******* ********* **** *********.
* ***'* ***** ********* *** ***** popular, ** *** ***** **** ** poorly ******* **********/**************, *** * ** think **** **** **** * ************** to ***** ****** ********. **** ****** also ***** ****** ******** ** **********. And **** ****** ********** ****** **** OEMs, ** **** *** **** *** are **** ********** **** ****'* ********* Hikua ***'* ************* ***** ********* *******.
***'* *** *** *** ***** **** beating * **** *****. ****'* **** point **** **** ****. ** ***** there ** ****** * ***** ** make ** ***** *** *****. ****** stated *** **** ** ********** ******* Hikvision, *** **** ******* ** *** complete ***** *** **. ** ** to *** ***** **** *** *** becoming **** ********. * **** **** I **** ** ******** **** * read **** ******* ***** ***** ** be ********* ******** *** **** ******** and *************. *******...***, **** *** *** following **** **** ** *** *** are ***** ***** ****. **** ***** other ********* ******** ****** *** ** China? *** **** ** *** ***** an ******?
#*, ****** *** **** ***** *******!
** ***** ***** ** ****** * slant ** **** ** ***** *** worse
*** *** *********? ******* *** ****** bad *** *************** **** **** ******** root ****** (**** *********'* ****) *** pretty ***.
*** **** ** *** ***** ** iphone?
***, * ** *** *** ******* ********** * '*** **** ** PRC *****' ******.
*** *** *******, ** ** * serious *************. ** *** *** **** aware. *** *************** *** ******* **** all ******** *** *** *************. * believe *** ****** ** ***** ** I **** ***** ** ** ****.
*** *************** *** ******* **** *** products *** *** *************
**, **** *************** *** *** **** serious **** ******, *.*.,**** ********* *** ****** * *.* out ** **, ***** ** * ****-******** ******* system (****).
***, **** ** **** *******. *** are ********** *******. *** **** ** this ** *** ****, *** *** are ***** ******* *** ***** ** we ****** ***** ** ********.
**** ** **** ** *** ****
**** *** ***** ******** **** ***** and ** ***** ** ******* *****. If ****'* *** **** ** ***, we *** ***** ** ********.
* **** ***** *** ****** *** point ****. **** ***********#*'* ******* ******** again: "
"***'* *** *** *** ***** **** beating * **** *****."
**'* *** ***** *** ******** ******* or ********** ************* ****** ** *******, it's ****** *** *********, *** ********, and **** ******* "*******".
***'* *** ** *****, * ********** that **** *** ********* ************* ******, discovering *** *******, ********* *********** *** so **, *** ** **** ***** a *** **** ** *****. **'* like ***** **** *** ******** ********* new, **'* ***** ****. ***** ***** of *********** ***** **** **** ** your ******** ****.
** *** ** (*** **** **** for * *****), ***** *** ************* issues (*** ****) **** ********* *** Dahua. **** *** *** **** ******** workers/writers, **** **** **** *** *** enthusiasm ***'* ****** ** **** *****-*****.
**** ***********#*'* ******* ******** *****: " "Don't *** *** *** ***** **** beating * **** *****."
*** *** **** ** **** **** as * **** ***** *** *** US ********** ** ** *** ***** of ******** ** ************* *** ** these *********, ** **'* * **** live ****** ***** *** ** ** of ******** ******** ** * *********** portion ** *** ********. ******* ******* are ********* ********** *** *****, *.*.,******* **** *****.
** **** ***** * *** **** at *****.
****** *** ***** ** **** ******* interest ****** ** ****** *** *********** covers. ***** ** *** *** * consulting **** ******** ** ******** ***********' interests, ** ** ******** **** **** will **** *** ******** *** **** relevant ** *********** **** ******. ** strive *** ******** ** ***** ** cover, ** ****** **** ********'* *********.
**** ****, ******* ** **** ** two ** **** ** ****** *****? I ***'* *** ** **** ********** do ** *** ** ***** *** good ***** **** *********** *** **** cover ***** ******.
***** ********** **** *** ***'* ***** for ***. ******* *** *** ****** IPVM ****, *** ***** ******* ** in *** ***** ** ***** ** number ** ********. ** ********** ***** that **'* ** ********* *****, *** maybe ** **** ***** **** "* bit *** **** ** *****" ***'* necessarily *** ***?*'** ** **** ******, it's *** ******, ***** *** ********* trolling ******** ** *********** ***** ******** fills ** ***.
************, *'* **** ** *** * Cybersecurity ******* (******** **** **** **** China), ******* ** **-***** ******/***** ** a ******** *** (** ********), *********** on ********/****** ************** *** *******/**** ***.
** ********* ******, ** ***'* ***** a ******* **** *****. ** ** about ******** **** **** **** * company **** *** ********** *******, ** well ** * ****** **** ***** record ** ***** ********, *** **** quality ** *******.
** ***** ***** ******* ************* ******** by * ******* ********** ** ***** government, ** ***** ** ******* *********. There **** **** ******** ***** ******** from ***** **********-********** *********, ********** **** it ******** ****-***** ** ******** ******** / *******, *** ******** ** *** is *********** ******...
*** **** ** ********** ******* *********, and **** ******* ** *** ******** until *** **
***, * ***** **, * ********** would **** ** ** **** ** destroy ********* & *******. **** *** the * *********, ** *** ****** of ** ****, **** * **** the ****. **** *** ***** ********* scum *** * ******* *** ***** controlled ** *** *** & *** being **** ** **** ** ***** quest *** ***** **********.
*** ***** ****** ** ***** ****** with ***** ******** (*** ******** ****** a ***** % ** ***** ******* line) ****** **** ****** **** **** a ***** **** **** **** ** bad **** & ****** ** *******.
*'* *** ***% **** **** **** isn't *********, *** *'** ****** ** believe *** **** ***** ****. ***'** entitled ** **** **** *** ******* of ****** *** ** ***** **** harsh ******** *** ****** ********** ** you *** ******* - * ***** quickly ******* **** **** ** ******** and * **** *** ******* **** frustration ***. * ***** ********** **** my **** ***** **** ** ****** fuel ** *** ****, *** **** all *** ******* ***'* ** ****** (and *****) ** * **** ************ manner?
** *** *** **** ******* *********** I ***** **** ******** *** *** Agree ****** ******* ** *** ********* button.
*****, *** ****** **** **** ******** disappear ** ******** *** ** ******* they *****.