Security experts have found that over 80,000 Hikvision cameras have been found to be vulnerable to a severe command injection problem that can be quickly exploited by sending carefully designed messages to the weak web server. The vulnerability, identified as CVE-2021-36260, was fixed by Hikvision in September 2021 through a firmware upgrade. However, according to a whitepaper released by CYFIRMA, tens of thousands of systems employed by 2,300 businesses across 100 countries have still not received the security upgrade.
Threat actors of various skill levels can look for and use CVE-2021-two 36260’s publicly known vulnerabilities, one of which was released in October 2021 and the other in February 2022. A Mirai-based botnet known as “Moobot” abused the specific exploit in December 2021 to expand quickly and recruit systems into DDoS (distributed denial of service) swarms. In January 2022, CISA warned that CVE-2021-36260 was one of the actively exploited issues on the list that was then available, cautioning businesses to patch the vulnerability since it may allow attackers to “take control” of their systems.
According to CYFIRMA, Russian-speaking hacker sites frequently offer for sale network access points that rely on Hikvision cameras that can be used for either lateral or “botnetting” movement. The cybersecurity company discovered that some 80,000 of the 285,000 Hikvision web servers with internet access were still exploitable. The majority of these are found in China and the United States. Still, there are also more than 2,000 susceptible endpoints in Vietnam, the United Kingdom, Ukraine, Thailand, South Africa, France, the Netherlands, and Romania.
CYFIRMA highlights the examples of the Chinese hacker organizations APT41 and APT10, as well as Russian threat groups specializing in cyberespionage, even if the exploitation of the vulnerability does not yet follow a set pattern because several threat actors are engaged in this attempt. They illustrate a cyberespionage operation called “think pocket” that has been attacking a well-liked connectivity product employed by various global companies since August 2021.
“From an External Threat Landscape Management (ETLM) analogy, cybercriminals from countries that may not have a cordial relation with other nations could use the vulnerable Hikvision camera products to launch a geopolitically motivated cyber warfare,” explains CYFIRMA in the whitepaper.
Along with the command injection vulnerability, another problem is weak passwords that users create out of convenience or come pre-installed on the device and aren’t changed during the initial setup. On clearnet hacking forums, a number of lists containing passwords for Hikvision camera live video streams were discovered, some of which were even free. If you handle a Hikvision camera, use a secure password, separate the IoT network from crucial assets using a firewall or VLAN, and apply the most recent firmware update immediately.
