The Hacked Camera Botnet: Not New, Just Big

CCTV cameras are part of a massive botnet that launched large denial of service attacks last week. It's not the first time that such devices have played a role in attacks.
CCTV cameras are part of a massive botnet that launched large denial of service attacks last week. It’s not the first time that such devices have played a role in attacks.

In-brief: More than 100,000 infected, Internet connected cameras played a part in giant denial of service attacks against a security news website last week. It’s not the first time such devices have been used to attack. 

After a series of record shattering denial of service attacks leveraged against the security website Krebsonsecurity.com and the French hosting firm OVH, the world is waking up to the reality that Internet of Things devices – “stuff” – have become a factor in cyber criminal actions.

As reported by The Security Ledger, a botnet made up, in part, by around 140,000 cameras and Internet connected digital video recorders (DVRs) is believed to be the source of a massive distributed denial of service (DDoS) attack on reporter Brian Krebs’ website and OVH, among other targets.

The web site Motherboard, citing research by the Internet provider Level 3, said that the botnet used against Krebs is made “mostly of internet-connected security cameras made by DAHUA Technology, a U.S. based maker of cameras and DVRs. Level 3 identified a botnet with one million devices enrolled in it earlier this year.

At the root of the compromise: a grossly insecure web interface with what sounds like a buffer overflow vulnerability that gave attackers access to the underlying Linux operating system on the DAHUA devices simply by entering a username with too many characters.

From the article:

The hackers then planted malware on the devices to turn them into bots and use them for both DDoS attacks as well as for extortion campaigns using ransomware., Drew said. The malware targets specifically Linux devices and is part of a family that previously went by the names Lizkebab, BASHLITE, Torlus and gafgyt, according to Level 3 and others who have been investigating the attacks.

This time around, the cameras are using malware known as Mirai, according to Marshal Webb, the chief technology officer of BackConnect, an anti-DDoS firm that spoke with Motherboard. And that malware appears to be spreading rapidly online, infecting a range of Internet connected devices.

The scenario outlined by Level3 – attackers exploiting a flaw in software used by a range of embedded devices –  is very similar to one described by the firm Sucuri in June when it encountered denial of service attacks aimed at its customers and emanating from a botnet of some 25,000 cameras and other connected systems.  Sucuri CEO Daniel Cid said that, of the more than 25,000 compromised CCTV systems that were part of the botnet, all were running Cross Web Server, software from the China-based firm TVT that was the subject of research by Rotem Kerner, a security researcher at the firm RSA, who disclosed a vulnerability in the firmware by China-based TVT in a blog post on March 22.

Cameras by the firm DAHUA are reported to be part of a large botnet responsible for crippling attacks on a cyber security news website and a French hosting firm. It wouldn't be the first time.
Cameras by the firm DAHUA are reported to be part of a large botnet responsible for crippling attacks on a cyber security news website and a French hosting firm. It wouldn’t be the first time.

According to Kerner, the firmware is used by over 70 different camera vendors including Q-See, a brand sold by Digital Peripheral Solutions, an Anaheim, California-based company that sells closed circuit cameras at large retailers like BestBuy and Costco.

Similarly, the security firm Imperva noted the existence of a network of malware-compromised closed circuit cameras taking part in a small-scale denial of service attacks against a customer in October, 2015. Further investigation found 900 closed circuit cameras, globally – including one operating just a short distance from the security firm’s offices. Researchers believe the cameras were accessed using default administrator credentials, which were not changed after the device was activated.

It is likely that the same phenomenon is at work with the devices enrolled in the latest device: a common firmware or application with a trivially exploitable hole. A search on the Shodan search engine shows some 230,000 such devices that are Internet accessible globally with most located in Brazil, China, India, the U.S. and Poland.