More than 80,000 Hikvision CCTV cameras exposed by a vulnerability

Security researchers have discovered over 80,000 cameras vulnerable to a critical command injection bug that can be easily exploited via messages sent to the vulnerable web server. The vulnerability published as CVE-2021-36260 was fixed by Hikvision via a firmware update in September 2021, but according to research by CYFIRMA, tens of thousands of systems used by 2,300 organizations in 100 countries have yet to apply the firmware update. security and remain vulnerable to attack.

Hikvision is lately in the spotlight of both security analysts and attackers as it is a brand widely used by administrations and government organizations in various countries.

There have been two known public exploits for CVE-2021-36260, one published in October 2021 and the second in February 2022, so threat actors of all levels can search for and exploit vulnerable cameras. In December 2021, a Mirai-based botnet called ‘Moobot’ used these exploits to spread and create an army of zombie devices to perform DDoS (Distributed Denial of Service) attacks.

In January 2022, CISA alerted that CVE-2021-36260 was among the actively exploited bugs on the list published at the time, warning organizations that attackers could “take control” of devices and that they should update the bugs. equipment immediately.

CYFIRMA comments that Russian-speaking hacking forums often sell network entry points that are based on Hikvision that can be used for “botnetting” or lateral movement.

Of an analyzed sample of 285,000 Hikvision web servers with Internet access, the cybersecurity firm found that approximately 80,000 were still vulnerable to exploitation. Most of these are located in China and the United States, while Vietnam, the United Kingdom, Ukraine, Thailand, South Africa, France, the Netherlands, and Romania have more than 2,000 vulnerable endpoints. This is bad from a security viewpoint and could be the cause of new attacks. We remind users who have a Hikvision camera to prioritize installing the latest firmware update available, use a strong password, and isolate the IoT network from critical assets using a firewall or VLAN.