CYFIRMA researchers discovered over 80,000 Hikvision cameras online exposed with a previously exploited vulnerability.
The security cameras belonging to over 2,300 organizations in 100 countries contained a flaw tracked as CVE-2021-36260 that HikVision had provided firmware updates in September 2021.
The vulnerability discovered by security experts identified as “Watchful IP” affects various Hikvision camera products. The easily-exploitable critical vulnerability with a CVSS v3 score of 9.8 had been exploited twice by various threat actors in October 2021 and February 2022. In December 2021, Mirai botnet operators also enrolled vulnerable devices into their ‘Moobot’ campaign to execute DDoS attacks.
Hikvision Digital Technologies, or “Hikvision,” is a Chinese manufacturer of consumer and military surveillance cameras. Additionally, the company manufactures other IoT products for education, retail, and industry, including critical infrastructure.
The top users of vulnerable Hikvision cameras are China (12,700), the U.S. (10,611), and Vietnam (7,300). The U.K., Ukraine, Thailand, South Africa, France, Netherlands, and Romania also have exposed instances of vulnerable Hikvision camera products.
Adversaries could leverage exploited vulnerability in Hikvision cameras for cyber warfare
The command injection vulnerability impacts Hikvision’s web server due to insufficient input validation. Subsequently, a threat actor could exploit the vulnerability by sending messages with malicious commands to a vulnerable Hikvision camera product.
According to the security expert who discovered the exploited vulnerability, the flaw does not require user interaction.
CYFIRMA has observed threat actors collaborating on underground forums to exploit the vulnerability. Similarly, Russian hackers were trading in stolen passwords of Hikvision cameras, expanding the attack surface. Many stolen passwords originate from using default credentials that aren’t updated after installing Hikvision cameras.
“Specifically in the Russian forums, we have observed leaked credentials of Hikvision camera products available for sale,” the firm stated.
Chinese hackers such as MISSION2025/APT41, APT10, and their affiliates also tried to exploit the vulnerability.
Since August 2021, CYFIRMA observed Russian hackers exploiting other connectivity devices to execute attacks in the “think pocket” campaign.
However, CYFIRMA warned that predicting the attack patterns or threat groups leveraging the exploited vulnerability was difficult because many attackers attempt to exploit the vulnerability using various tactics.
In January 2022, CISA warned that threat actors could leverage the exploited vulnerability CVE-2021-36260 to take over devices. The agency also added the flaw to the catalog of actively exploited vulnerabilities that should be patched within 30 days.
According to CYFIRMA, the Hikvision exploited vulnerability seriously threatened the national security of impacted countries.
“From an External Threat Landscape Management (ETLM) analogy, cybercriminals from countries that may not have a cordial relation with other nations could use the vulnerable Hikvision camera products to launch a geopolitically motivated cyber warfare,” the researchers stated.
Exposed Hikvision vulnerability highlights challenge with securing IoT devices
Owners of vulnerable Hikvision cameras should patch the exploited vulnerability and apply strong passwords to prevent exploitation of the devices. In addition, they should isolate IoT devices from main networks to prevent threat actors from propagating the network after compromising vulnerable devices.
“Wireless cameras have been a highly sought-after target for attackers over the past several years, particularly Hikvision cameras,” said David Maynor, Senior Director of Threat Intelligence at Cybrary. “Their product contains easy-to-exploit systemic vulnerabilities or worse, uses default credentials. There is no good way to perform forensics or verify that an attacker has been excised.”
According to Maynor, no observable changes have been detected in Hikvision’s development cybersecurity practices.
“IoT devices like cameras aren’t always as easy or straightforward to secure as an app on your phone,” said Paul Bischoff, privacy advocate with Comparitech. “Updates are not automatic; users need to manually download and install them, and many users might never get the message.”
Bischoff added that IoT devices rarely display security warnings or update alerts, unlike other devices that notify users when updates are available.
“Hackers can easily find devices running vulnerable firmware or software using an IoT search engine like Shodan,” Bischoff continued. “From there, they can hijack the devices to enlist them as part of a botnet, mine cryptocurrency, or launch further attacks through the camera’s network.”
#Cybersecurity researchers discovered over 80,000 Hikvision cameras exposed online without security fixes for an exploited critical #vulnerability whose patch was released in Sep 2021. #respectdataClick to TweetChris Hauk, consumer privacy champion at Pixel Privacy, attributed Hikvision camera vulnerabilities to a lack of strong passwords and the use of default credentials.
“Exploits like those being used to take over Hikvision cameras rely on users not setting strong passwords or using the default passwords out of the box. Users should always update their cameras and other IoT devices with the latest firmware, set a secure password, and in corporate cases, keep their IoT devices isolated from their main network.”
