Specialists of the Chinese company Qihoo 360 reportthat at least three botnets exploited a number of zero-day vulnerabilities in the LILIN DVR. Moreover, it lasted more than six months, until the manufacturer released a patch last month.
DVR (digital video recorder) devices are used to combine video streams from local video surveillance systems or from IP cameras and record them on various media, including hard drives, SSDs, memory cards. DVRs are as ubiquitous as the surveillance cameras they serve. Unfortunately, DVRs often work with factory default settings and credentials, as well as outdated firmware. As a result, such devices often become victims of botnets, they are infected and then used for DDoS attacks.
According to Qihoo 360, LILIN DRVs had three zero-day vulnerabilities at once:
- vulnerability in the NTPUpdate process allowed attackers to implement and execute system commands;
- Using hardcoded credentials (root / icatch99 and report / 8Jg0SR8K50), you could modify the DVR configuration file and then execute commands on the device when the FTP server configuration is periodically synchronized;
- almost the same thing could be done using the NTP service.
The first botnet to start exploiting 0-day bugs was the Chalubo botnet, which had been abusing the NTPUpdate vulnerability since late August last year. Then, in January of this year, the two remaining zero-day problems were used by the FBot botnet operators, and then the Moobot botnet operators, who also abused the second 0-day, also connected.
Experts do not report what botnet operators did with the captured DVRs, but the botnets listed are usually used for DDoS attacks, as well as proxies (for redirecting malicious traffic).
Researchers write that they contacted LILIN representatives twice, first after the FBot attacks, and then when the Moobot botnet joined the attacks. Last month, LILIN engineers finally released firmware updates. Experts note that at present, more than 5000 DRV LILIN can be found on the network.