Security researchers have discovered over 80,000 Hikvision cameras vulnerable to a critical command injection flaw that’s easily exploitable via specially crafted messages sent to the vulnerable web server.
The flaw is tracked as CVE-2021-36260 and was addressed by Hikvision via a firmware update in September 2021.
However, according to a whitepaper published by CYFIRMA, tens of thousands of systems used by 2,300 organizations across 100 countries have still not applied the security update.
There have been two known public exploits for CVE-2021-36260, one published in October 2021 and the second in February 2022, so threat actors of all skill levels can search for and exploit vulnerable cameras.
In December 2021, a Mirai-based botnet called ‘Moobot’ used the particular exploit to spread aggressively and enlist systems into DDoS (distributed denial of service) swarms.
In January 2022, CISA alerted that CVE-2021-36260 was among the actively exploited bugs in the then published list, warning organizations that attackers could “take control” of devices and to patch the flaw immediately.
CYFIRMA says Russian-speaking hacking forums often sell network entrance points relying on exploitable Hikvision cameras that can be used either for “botnetting” or lateral movement.
Of an analyzed sample of 285,000 internet-facing Hikvision web servers, the cybersecurity firm found roughly 80,000 still vulnerable to exploitation.
Most of these are located in China and the United States, while Vietnam, the UK, Ukraine, Thailand, South Africa, France, the Netherlands, and Romania all count above 2,000 vulnerable endpoints.
While the exploitation of the flaw doesn’t follow a specific pattern right now, since multiple threat actors are involved in this endeavor, CYFIRMA underlines the cases of the Chinese hacking groups APT41 and APT10, as well as Russian threat groups specializing in cyberespionage.
An example they give is a cyberespionage campaign named “think pocket,” which has been targeting a popular connectivity product used in an array of industries across the globe since August 2021.
Read the full story here.