Researchers at Cyfirma discovered a critical command injection vulnerability that still resides in thousands of cameras made by Hangzhou Hikvision Digital Technology Co. Tracked as CVE-2021-36260, the vulnerability is one year old and was addressed by Hikvision last year. However, approximately 80,000 cameras are still vulnerable to exploitation.
With a CVSS score of 9.8, CVE-2021-36260Opens a new window is just shy of being the perfect weakness for cybercriminals looking to exploit IoT devices. More than 2,300 organizations across over 100 countries haven’t applied the security update released in September 2021 and are still using vulnerable Hikvision cameras.
Paul Bischoff, a privacy advocate at Comparitech, told Spiceworks, “IoT devices like cameras aren’t always as easy or straightforward to secure as an app on your phone. Updates are not automatic; users need to manually download and install them, and many users might never get the message.â€
“Furthermore, IoT devices might not give users any indication that they’re unsecured or out of date. Whereas your phone will alert you when an update is available and likely install it automatically the next time you reboot, IoT devices do not offer such conveniences.â€
Cyfirma researchers observed that Chinese threat groups, including MISSION2025/APT41, APT10 and its affiliates, and unknown Russian cybercriminal entities were most keen on exploiting CVE-2021-36260 in Hikvision cameras.
“Specifically in the Russian forums, we have observed leaked credentials of Hikvision camera products available for sale. These can be leveraged by hackers to gain access to the devices and exploit further the path of attack to target an organization’s environment,†Cyfirma notedOpens a new window .
Hikvision cameras with CVE-2021-36260 have previously been targeted using Mirai-based Moobot botnet to carry out DDoS attacks.
Top 10 Countries Using Vulnerable Hikvision Camera Products | Source: Cyfirma
See More: Why Software Bill of Materials (SBOM) Is Critical To Mitigating Software Supply Chain Risks
Hikvision is a Chinese state-owned corporation, and both APT10Opens a new window and APT41Opens a new window are thought to be threat organizations supported by the Chinese government. Therefore, it is puzzling that China is the country where susceptible Hikvision cameras are most used.Â
In a post dating to September 2021, a security researcher, Watchful IP, said it is definitely not a backdoor mandated by the single-party-run Chinese government. “You wouldn’t do it like this,†they said. “And not all firmware types are affected.†The list of affected frameworks is given hereOpens a new window .
Cyfirma’s theory is that exploiting Hikvision cameras could be geopolitically motivated for cyber espionage. “Hackers can easily find devices running vulnerable firmware or software using an IoT search engine like Shodan. From there, they can hijack the devices to enlist them as part of a botnet, mine cryptocurrency, or launch further attacks through the camera’s network,†Bischoff added.
The exploitation of CVE-2021-36260 requires no user interaction making a zero-click attack possible. It only requires access to the http(s) server port (typically 80/443). Watchful IP assessed in their advisory that successful exploitation grants the attacker to gain complete control of the device with an unrestricted root shell, which is far more access than even the owner of the device.
Bischoff concluded that poor password hygiene further exacerbates the problem. Chris Hauke, a consumer privacy advocate at Pixel Privacy, echoed the same.
Hauke told Spiceworks, “Exploits like those being used to take over Hikvision cameras rely on users not setting strong passwords or using the default passwords out of the box. Users should always update their cameras and other IoT devices with the latest firmware, set a secure password, and in corporate cases, keep their IoT devices isolated from their main network.â€
Let us know if you enjoyed reading this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!