Over 80,000 exploitable Hikvision cameras have been made public online.
Over 80,000 Hikvision cameras have been discovered to be vulnerable to a critical command injection flaw that can be easily exploited via specially crafted messages sent to the vulnerable web server.
The flaw is identified as CVE-2021-36260, and Hikvision addressed it with a firmware update in September 2021.
According to a CYFIRMA whitepaper, tens of thousands of systems used by 2,300 organisations in 100 countries have yet to receive the security update.
CVE-2021-36260 has two known public exploits, one published in October 2021 and the other in February 2022, so threat actors of all skill levels can search for and exploit vulnerable cameras.
In December 2021, the ‘Moobot’ Mirai-based botnet used the specific exploit to spread aggressively and enlist systems in DDoS (distributed denial of service) swarms.
CVE-2021-36260 was among the actively exploited bugs in the then-published list when CISA issued an alert in January 2022, warning organisations that attackers could “take control” of devices and urging them to patch the flaw immediately.
Vulnerable and abused
According to CYFIRMA, Russian-speaking hacking forums frequently sell network entrance points based on exploitable Hikvision cameras that can be used for “botnetting” or lateral movement.
The cybersecurity firm discovered approximately 80,000 vulnerable Hikvision web servers in an analysed sample of 285,000 internet-facing Hikvision web servers.
The majority of these are in China and the United States, with over 2,000 vulnerable endpoints in Vietnam, the United Kingdom, Ukraine, Thailand, South Africa, France, the Netherlands, and Romania.
While there is no clear pattern for exploiting the flaw at the moment, because multiple threat actors are involved, CYFIRMA highlights the cases of Chinese hacking groups APT41 and APT10, as well as Russian threat groups specialising in cyberespionage.
They cite a cyberespionage campaign called “think pocket” that has been targeting a popular connectivity product used in a variety of industries around the world since August 2021.
“From an External Threat Landscape Management (ETLM) perspective, cybercriminals from countries that may not have friendly relations with other nations could use the vulnerable Hikvision camera products to launch geopolitically motivated cyber warfare,” CYFIRMA explains in the whitepaper.
Weak passwords are another issue.
Aside from the command injection vulnerability, there is also the issue of weak passwords that users create for convenience or that come with the device by default and are not reset during the initial setup.
On clearnet hacking forums, Bleeping Computer discovered multiple offerings of lists, some even free, containing credentials for Hikvision camera live video feeds.
If you own a Hikvision camera, you should prioritise installing the most recent firmware update, using a strong password, and isolating the IoT network from critical assets using a firewall or VLAN.