Closed Circuit Cameras, NAS Devices Enrolled in Botnet

A network of 900 Closed Circuit Cameras were involved in a denial of service attack against a cloud-based service said the firm Imperva.
A network of 900 Closed Circuit Cameras were involved in a denial of service attack against a cloud-based service said the firm Imperva.

In-brief: A network of 900 Closed Circuit Cameras were involved in a denial of service attack against a cloud-based service said the firm Imperva*.

Add closed circuit cameras to the list of vulnerable devices that may pose a risk to individuals and businesses. That, according to a report from the security firm Imperva.

In a blog post on Wednesday, researcher Ofer Gayer said that malware-compromised closed circuit cameras were observed taking part in a small-scale denial of service attack against a customer. Further investigation found 900 closed circuit cameras, globally – including one operating just a short distance from the security firm’s offices. Researchers believe the cameras were accessed using default administrator credentials, which were not changed after the device was activated.

IP-enabled connected cameras are among the most common form of connected device and are widely deployed in businesses as well as homes. Researchers and hackers have long pointed out that the devices are highly vulnerable to compromise. For example, in 2013, Apple Store favorite IZON cameras were reported to be vulnerable to attack. Then, in 2014, The US Federal Trade Commission (FTC) announced a settlement with TRENDnet, Inc. over lax security features in its line of SecurView cameras. In fact, this isn’t the first time Imperva has warned of malware infections on closed circuit cameras. A 2014 report on DDoS activity singled out compromised CCTVs, as well.

In this case, the Imperva discovered the infections as part of an investigation into a distributed denial of service attack on what it described as a “rarely-used asset” at a “Large cloud service.” The attack used a flood of HTTP GET requests, at a rate of around 20,000 requests per second, to try to disable the cloud-based server. The traffic originated from around 900 CCTV cameras distributed globally, including one located at a storefront in a mall near the firm.

The cameras were running the same operating system: embedded Linux with BusyBox, which is a collection of Unix utilities designed for resource-constrained endpoints. The malware in question was a variant of a self-replicating program known as Lightaidra, which targets systems running BusyBox and exploits vulnerable Telnet/SSH services using so-called “brute force dictionary attacks” (aka “password guessing”).

Forensic evidence suggests that the cameras may have been accessed from multiple locations, suggesting multiple different attackers using the same infrastructure.

And closed circuit cameras aren’t the only connected devices taking part in denial of service attacks, either. Imperva said that it is also investigating DDoS traffic linked to compromised network attached storage (NAS) devices.

Loosely managed embedded devices are an increasingly popular target of attackers, as home computers have become harder to compromise. In May, for example, Imperva identified a botnet made of SOHO (small office and home office) routers, many of them Ubiquiti home routers equipped with ARM processors. Imperva recorded traffic from more than 40,000 IP addresses associated with 1,600 ISPs worldwide. 85% of the compromised routers were located in Thailand and Brazil, the company said.

As with the CCTV devices, Imperva found the home routers  were easy targets: remotely accessible via HTTP and SSH on their default ports and all were configured with vendor-provided default login credentials.

(*) Note: an earlier version of this story listed the company name as Incapsula. Following an acquisition, the company’s name is now Imperva. 

Spread the word!

Comments are closed.