Security researchers have discovered over 80,000 Hikvision cameras vulnerable to a critical command injection flaw that’s easily exploitable via specially crafted messages sent to the vulnerable web server.
The flaw is tracked as CVE-2021-36260 and was addressed by Hikvision via a firmware update in September 2021.
However, according to a whitepaper published by CYFIRMA, tens of thousands of systems used by 2,300 organizations across 100 countries have still not applied the security update.
There have been two known public exploits for CVE-2021-36260, one published in October 2021 and the second in February 2022, so threat actors of all skill levels can search for and exploit vulnerable cameras.
In December 2021, a Mirai-based botnet called ‘Moobot’ used the particular exploit to spread aggressively and enlist systems into DDoS (distributed denial of service) swarms.
In January 2022, CISA alerted that CVE-2021-36260 was among the actively exploited bugs in the then published list, warning organizations that attackers could “take control” of devices and to patch the flaw immediately.
Vulnerable and exploited
CYFIRMA says Russian-speaking hacking forums often sell network entrance points relying on exploitable Hikvision cameras that can be used either for “botnetting” or lateral movement.
Of an analyzed sample of 285,000 internet-facing Hikvision web servers, the cybersecurity firm found roughly 80,000 still vulnerable to exploitation.
Most of these are located in China and the United States, while Vietnam, the UK, Ukraine, Thailand, South Africa, France, the Netherlands, and Romania all count above 2,000 vulnerable endpoints.
While the exploitation of the flaw doesn’t follow a specific pattern right now, since multiple threat actors are involved in this endeavor, CYFIRMA underlines the cases of the Chinese hacking groups APT41 and APT10, as well as Russian threat groups specializing in cyberespionage.
An example they give is a cyberespionage campaign named “think pocket,” which has been targeting a popular connectivity product used in an array of industries across the globe since August 2021.
“From an External Threat Landscape Management (ETLM) analogy, cybercriminals from countries that may not have a cordial relation with other nations could use the vulnerable Hikvision camera products to launch a geopolitically motivated cyber warfare,” explains CYFIRMA in the whitepaper.
Weak passwords also a problem
Apart from the command injection vulnerability, there’s also the issue of weak passwords that users set for convenience or that come with the device by default and aren’t reset during the first set up.
Bleeping Computer has spotted multiple offerings of lists, some even free, containing credentials for Hikvision camera live video feeds on clearnet hacking forums.
If you operate a Hikvision camera, you should make it a priority to install the latest available firmware update, use a strong password, and isolate the IoT network from critical assets using a firewall or VLAN.