80,000+ Exploitable Hikvision Cameras Exposed Online

A critical command injection flaw that is present in over 80,000 Hikvision camera models has been discovered by security researchers at CYFIRMA recently. Using specially crafted messages, it is relatively easy to exploit this vulnerability.

Hikvision released a firmware update in September 2021, which addressed the vulnerability, and this vulnerability was tracked as CVE-2021-36260 vulnerability.

Hikvision is a company specializing in manufacturing and supplying video surveillance equipment. This company is a state-owned Chinese manufacturer that provides its services and equipment to civilians and the military.

Exploitation

The Moobot botnet, which is based on Mirai, abused this vulnerability in December 2021. As a result, the attacker aggressively enrolled the vulnerable systems into a DDoS swarm so that they could be attacked aggressively.

  • CVE ID: CVE-2021-36260
  • Description: It is a critical command injection flaw.
  • Severity: Critical
  • CVSS Score: 9.8

The CISA security team alerted the government and other organizations in January 2022 that CVE-2021-36260 was one of the actively exploited vulnerabilities. 

As a result of the flaw, they urged all companies to patch this flaw as soon as possible and to be aware that their devices may be vulnerable.

CYFIRMA says Russian-speaking hacking forums often sell network entrance points relying on exploitable Hikvision cameras that can be used either for:- 

  • Bbotnetting

or 

  • Lateral movement

CYFIRMA reported Cyber Security News about this incident, From an External Threat Landscape Management (ETLM) analogy, cybercriminals from countries that may not have a cordial relation with other nations could use the vulnerable Hikvision camera products to launch a geopolitically motivated cyber warfare. Cybercriminals and state-sponsored hacker groups could very easily collaborate using this avenue as an opportunity for mutual gains and to further their interests.”

Geographical Spread

As a result of the experts’ analysis, more than 285,000 Hikvision web servers with internet access were analyzed. There are approximately 80,000 vulnerable servers among the ones analyzed, making them still a relatively large number.

These are some of the countries that have the greatest number of endpoints:-

  • China
  • The United States
  • Vietnam
  • The United Kingdom
  • Ukraine
  • Thailand
  • South Africa
  • France
  • The Netherlands
  • Romania

Due to the fact that multiple threat actors are involved in exploiting this flaw at this time, the method of exploiting this flaw does not follow a specific pattern.

Recommendation

It’s also important to note that users are often subjected to weak passwords by default, either due to convenience or functionality.

There are a number of recommendations mentioned below that should be followed if you are operating a Hikvision camera:-

  • Ensure you are using the latest version of the firmware available on your device.
  • Keep your passwords strong at all times.
  • Use a firewall or VLAN to separate the IoT network from critical assets so that they can be isolated.
  • Passwords should be changed frequently, so it is important to keep them up to date.

Rise of Remote Workers: A Checklist for Securing Your Network – Download Free White paper

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.