Information security researchers report that more than 80,000 Hikvision cameras can be found on the network, vulnerable to a critical bug related to command injection. The problem is easy to exploit by using specially crafted messages sent to the vulnerable web server.
Experts from CYFIRMA spoke about the problem. According to them, the CVE-2021-36260 vulnerability was discovered and fixed by Hikvision developers with a firmware update back in September 2021. Unfortunately, however, tens of thousands of devices used by 2,300 organizations in 100 countries around the world still haven’t received these updates.
There are currently two exploits available for CVE-2021-36260. The first was published in October 2021, the second in February of this year. Because of this, vulnerable cameras can be attacked even by attackers who do not have a particularly high level of technical training.
The issue is CVE-2021-36260 and has been used in attacks before. For example, in December last year, the Mirai botnet Moobot adopted it, infecting vulnerable cameras and using them for DDoS attacks. In January 2022, the US Infrastructure and Cybersecurity Agency (CISA) warned that this vulnerability was on the list of actively exploited bugs, and attackers could “take control” of problematic devices.
As CYFIRMA experts now write, at present, on Russian-language hack forums, you can often find offers for the sale of access, which are based on hacked Hikvision cameras. They are proposed to be used either to build a botnet or to move sideways through the target company’s network.
After analyzing a sample of 285,000 Hikvision web servers connected to the Internet, the researchers found that about 80,000 of them are still vulnerable to exploitation. Most of them are located in China and the USA, while there are more than 2,000 vulnerable endpoints in Vietnam, the UK, Ukraine, Thailand, South Africa, France, the Netherlands and Romania.
Although in general operation The vulnerability is currently being implemented differently (because it is attacked by several groups of attackers), the researchers say that the bug is exploited by several Chinese hack groups, including APT41 and APT10, as well as Russian groups specializing in cyber espionage.
It is also noted that in addition to the mentioned vulnerability, Hikvision cameras have the problem of weak passwords, which are either set by the users themselves, or they are set out of the box and are not reset during the first setup. Bleeping Computer journalists note that they easily found on hacker forums several lists with credentials (some of them were generally free) for accessing video broadcasts from Hikvision cameras.