Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Wednesday June 29 2016, @09:19AM   Printer-friendly
from the Smile-for-the-Camera? dept.

An interesting blog post on sucuri.net describes a DDoS using CCTV devices:

Our security operations team investigate and mitigate multiple denial of service (DDoS) attacks every single day. One recent case caught our attention because of the intensity and duration of the attack, and -- as we discovered through some research -- how it was being done. In this article, we'll share the specifics in an effort to track down the vulnerable devices...

The post continues:

It is not new that attackers have been using IoT devices to start their DDoS campaigns, however, we have not analyzed one that leveraged only CCTV devices and was still able to generate this quantity of requests for so long.

As we extracted the geo-location from the IP addresses generating the DDoS, we noticed that they were coming from all over the world, different countries and networks. A total of 25,513 unique IP addresses came within a couple of hours.

[...] As we dug deeper into each of these IP addresses, we learned that all of them were running the "Cross Web Server" and had a similar default HTTP page with the "DVR Components" title.

This is what raised our suspicious of a IoT botnet that was leveraging some CCTVs as part of the attack. As we kept looking, we found the company logos from the resellers and manufactures on all IP addresses.

The common thread turned out to be that all of the devices were running BusyBox, software that provides several stripped-down Unix tools in a single executable file. [Wikipedia] Sucuri conjectures: "It seems like they might have been hacked via a recently disclosed RCE vulnerability in CCTV-DVR (this is unconfirmed)."

Also covered at Ars Technica and SiliconANGLE.


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 0) by Anonymous Coward on Wednesday June 29 2016, @09:33AM

    by Anonymous Coward on Wednesday June 29 2016, @09:33AM (#367479)

    Now all we need to do is to insert mood-altering artificial synapses into the drivers of driverless cars and we can gridlock all roadways!

  • (Score: 1, Interesting) by Anonymous Coward on Wednesday June 29 2016, @12:46PM

    by Anonymous Coward on Wednesday June 29 2016, @12:46PM (#367541)

    So... how "Closed Circuit"are these CCTV systems then?

    • (Score: 0) by Anonymous Coward on Wednesday June 29 2016, @01:18PM

      by Anonymous Coward on Wednesday June 29 2016, @01:18PM (#367561)

      They're closed to you! Try obtaining evidence from a camera pointed at the crime scene when someone stole your bike/car/whatever. Impossible to do. But try getting camera evidence used by the cops, dismissed in court in a case against you, good luck!

      CCTV is closed to you, and you should be happy about that civilian!

      • (Score: 0) by Anonymous Coward on Thursday June 30 2016, @04:28AM

        by Anonymous Coward on Thursday June 30 2016, @04:28AM (#367862)

        Which misbegotten country are you in, where such evidence can't be subpoenaed?

    • (Score: 3, Insightful) by frojack on Wednesday June 29 2016, @06:28PM

      by frojack (1554) on Wednesday June 29 2016, @06:28PM (#367673) Journal

      So... how "Closed Circuit"are these CCTV systems then?

      Just as closed as any other computer that accepts NO inbound connections, except those entering on its control port (ssh/telnet, or in this case HTTP) with the proper password. When that password is compromised, set to factory default, or is easily cracked, there is no longer any such thing as closed.

      The problem, I'm willing to bet, is these are shipped with no password, or a default password, no logging, no log-in alert system, and easily identifiable by a script-kiddy port scan.

      Maybe they are back-ended from the factory, but nothing so sinister need be imagined.

      One guy in charge of installing these things would sooner or later realize the vulnerability. And from there, its a simple matter to have one of them scanning for others, then logging in to each, sending the rogue software, which finds yet more and more.

      Somewhere there has to be a control channel. But that might be hard to find, because all it does is DDOS, which need not return any data to that control channel.

      --
      No, you are mistaken. I've always had this sig.
      • (Score: 0) by Anonymous Coward on Wednesday June 29 2016, @07:48PM

        by Anonymous Coward on Wednesday June 29 2016, @07:48PM (#367703)

        woosh!

  • (Score: 2, Informative) by Anonymous Coward on Wednesday June 29 2016, @01:21PM

    by Anonymous Coward on Wednesday June 29 2016, @01:21PM (#367562)

    https://www.shodan.io/ [shodan.io]

    ... aaaannd we're done!