Months Old Flaw Behind the Surveillance Cam Botnet?

A network of 25,000 Closed Circuit Cameras were involved in a denial of service attack against a cloud-based service said the firm Sucuri.
A network of 25,000 Closed Circuit Cameras were involved in a denial of service attack against a cloud-based service said the firm Sucuri.

In-brief: a network of 25,000 compromised closed circuit cameras has been implicated in a large denial of service attack used for cyber extortion. A known flaw in commonly used DVR technology may be to blame.

A network of thousands of compromised closed circuit cameras (CCTVs) has been implicated in a large denial of service attack – perhaps the largest such incident to date. A vulnerability in a commonly used DVR technology, first reported in March, may be to blame.

The security firm Sucuri reported this week that it had beaten back a denial of service attack directed at small, online merchants. An investigation by the firm confirmed that the attack, which lasted for days and generated up 50,000 web requests per second, emanated from a network of tens of thousands of DVR (digital video recorders) deployed with video surveillance systems globally.

Though the exact mechanism by which cyber criminals assembled the botnet isn’t known, Sucuri CEO Daniel Cid speculated that a vulnerability in commonly used firmware by TVT, a company based in China, may be the common thread tying the compromised cameras together.

Writing for Sucuri, Cid said that, of the more than 25,000 compromised CCTV systems that were part of the botnet, all were running Cross Web Server. That’s the same software analyzed by Rotem Kerner, a security researcher at the firm RSA, who disclosed a vulnerability in the firmware by China-based TVT in a blog post on March 22.

According to Kerner, the firmware is used by over 70 different vendors including Q-See, a brand sold by Digital Peripheral Solutions, an Anaheim, California-based company that sells closed circuit cameras at large retailers like BestBuy and Costco.

Kerner’s investigation of CCTV devices was an offshoot of research on the point of sale malware known as the BackOff Trojan. After noticing that the criminals were targeting closed circuit cameras to get a foothold on retailers networks, Kerner decided to dig deeper: studying the distribution of compromised CCTV devices across the Internet and investigating how, exactly, cyber criminals were compromising the devices.

His research, using data culled from a command and control server, led him to a population of over 1,000 similar, infected machines, DVR devices sporting HTTP servers that were listening on port 81/82 and port 8000 and identifying as “Cross Web Server.”

Sucuri researchers made a similar discovery this month. Devices that were participating in the botnet came from more than 100 countries, with a plurality in Taiwan (24%) and the United States (12%). A wide range of DVR vendors was represented, as well. However, under the hood, the devices were the same: all were BusyBox based and ran the Cross Web Server software.

That led Sucuri researchers to speculate that the remote code execution (RCE) vulnerability Kener identified may have given rise to the botnet. That link hasn’t been proven, but the link between a botnet of DVRs running Cross Web Server and the earlier RCE vulnerability is suggestive, to say the least.

According to Sucuri, the devices were used to launch a variation of the HTTP flood and cache bypass attack that generated more than 50,000 requests per second. While not large, by DDoS standards, the attacks were plenty to knock small businesses offline, like the “brick and mortar” jewelry shop that turned to Sucuri for help.

This isn’t the first CCTV botnet, though it may be the largest reported to date. In October, 2015, the security firm Imperva noted attacks emanating from a botnet of some 900 compromised CCTV and NAS (network attached storage) devices.

Security problems linked to supply chain vulnerabilities are an increasing concern. In 2014, researchers from Check Point discovered flaws in implementations of TR-069 Automatic Configuration Server software used by a wide range of routers used in homes and small businesses.TR-069 is a broadband standard for doing WAN (wide area network) management of devices for customer premises equipment. Manufacturers of the routers were not implementing TR-069 ACS software in a secure manner. There have also been reports about CCTV’s that shipped with malicious software.

In 2015, researchers from EURECOM and Ruhr University Bochum in Germany published research that suggested serious security flaws are worryingly common in embedded devices. The researchers emulated and tested 246 separate instances of embedded device firmware with web interfaces. Of those, 185 (75%) were discovered to have “high impact” vulnerabilities, according to a report, “Automated Dynamic Firmware Analysis at Scale: A Case Study on Embedded Web Interfaces.”

Spread the word!

One Comment

  1. For undoing strikes without restarting games, your fifty four% win ratio in over 2000 games will not be too dangerous.