Vulnerable Hikvision Cameras Exposed OnlineCyfirma Finds 80,000 Unpatched Chinese-Made Cameras in Online Sweep
Cybercriminals in Russian forums are selling logon credentials to Hikvision-brand security cameras, tens of thousands of which remain vulnerable to a well-known exploit, warns a threat intelligence firm.
A study by Cyfirma reveals that more than 80,000 Hikvision cameras used across the globe contain a critical flaw first identified more than a year ago.
Chinese manufacturer Hangzhou Hikvision Digital Technology Co. issued a patch for the vulnerability last September. Tracked as CVE-2021-36260, this command injection vulnerability allows attackers to execute arbitrary system commands on the victim's host operating system. Attackers could exploit the vulnerability to add the cameras to a botnet or as a launching point for lateral movement deeper into the camera operator's network. Cybersecurity firm Fortinet late last year says it spotted "numerous payloads attempting to leverage this vulnerability" including one that appeared to recruit vulnerable cameras into the Moobot botnet, a variant of the Mirai botnet.
Cyfirma researchers analyzed a sample of approximately 285,000 Hikvision web servers worldwide. It found that more than 2,300 organizations in more than 100 nations operated cameras with open web ports. Close to a third of the vulnerable cameras were located in China and the United States, with each country responsible for 12,690 and 10,611 vulnerable devices, respectively.
Saurabh Lal, Cyfirma president of research and customer engagement, told Information Security Media Group that these organizations are likely unaware of the device's openness to online traffic.
"These ports are not being monitored, not being validated, not being tested and they are just adding to entry points in your porous attack surface," Lal says. He says it is a "fault of implementation" and that companies have been "careless with configuration".
In January 2022, the U.S. Cybersecurity and Infrastructure Security Agency warned the vulnerability being actively exploited and urged organizations to patch immediately.
Cyfirma believes that Chinese threat groups such as MISSION2025/APT41, APT10 and its affiliates, as well as unknown Russian threat actor groups could potentially exploit the unpatched security cameras.
"We have observed that leaked credentials of Hikvision camera products available for sale on Russian forums," Cyfirma researchers say.
Hikvision is controlled by the Chinese government and is on a number of U.S. federal government blacklists. The Federal Communications Commission in March 2021 classified the company as a risk to national security. U.S. citizens are barred from owning shares in the company under an executive order first signed by Donald Trump and revised by President Joe Biden in June 2021. The Department of Commerce subjected the company to intensive export controls in in 2019 for participating in state surveillance of the Uyghur ethnic group in the Xinjiang Uighur Autonomous Region.