A botnet is targeting a known command injection flaw in various Hikvision video surveillance devices, in order to infect them and use them to launch distributed denial-of-service (DDoS) attacks.
The Mirai-based Moobot botnet, first discovered in 2019, is known to target IoT devices and routers typically using vulnerability exploits or brute force attacks via weak default passwords. Recently, researchers with Fortinet saw the botnet targeting a flaw (CVE-2021-36260) in devices made by Chinese manufacturer Hikvision, a major player in the global surveillance camera market.
This vulnerability, which stems from insufficient input validation, allows unauthenticated users to inject malicious content by merely sending specially crafted messages to publicly exposed, impacted devices. Despite the flaw receiving a patch on Sept. 18, researchers said they observed several payloads being deployed against products that remain vulnerable. One payload in particular attempts to drop a downloader, which in turn executes Moobot.
“Hikvision is one the biggest providers of IP cam/NVR products in the global market. CVE-2021-36260 is a critical vulnerability that makes Hikvision products a target for Moobot,” said Cara Lin with Fortinet. “Although a patch has been released to address this vulnerability, this IoT botnet will never stop looking for a vulnerable end point.”
While Lin did not specify which Hikvision products were targeted in the attacks, an analysis by a UK threat researcher, under the alias “Watchful IP,” lists dozens of product models and versions that are impacted, and noted that a “huge number” of OEM resellers have their own model numbers, making it difficult to nail down the full list of affected models.
The Attacks
After being downloaded, the Moobot is saved as “macHelper,” and attempts to remove any files with the same names on the impacted device. The botnet also changes commonly used commands (like “reboot”) to prevent administrators from attempting to invoke these commands on the devices.
Moobot is a Mirai-based botnet, and contains a signature data string (“w5q6he3dbrsgmclkiu4to18npavj702f”) allowing it to create random alphanumeric strings with different functions (such as setting up a process name or generating data for attacks). The Mirai botnet is known for the massive 2016 DDoS attack against DNS provider Dyn that crippled Internet service in the U.S. and took down several popular services (including Netflix). In 2016, Mirai’s alleged author released its source code, making it easier for copycats to launch their own Mirai variants.
Moobot also has some elements from Satori, another Mirai variant botnet, said researchers: Most notably, it contains a “downloader” function that targets victims' IoT devices, it prints a unique string post-execution (“9xsspnvgc8aj5pi7m28p”) and it forks itself with a specific process name in an attempt to look like a normal process.
Once the connection with the command-and-control (C2) server is set up, the botnet receives commands to start a DDoS attack against specific IP addresses and port numbers.
“Except for SYN flood, the C2 server has other attacking commands, such as 0x06 for UDP flood, 0x04 for ACK flood, and 0x05 for ACK+PUSH flood,” said Lin. “Users should always look out for DDoS attacks and apply patches to vulnerable devices."
Moobot: A Continuous Threat
Moobot is particularly harmful because it is self-propagating, meaning that once it infects devices, it then scans the Internet for open telnet ports in an attempt to locate additional vulnerable IoT devices to infect.
Botnets pose various threats to enterprises, including cryptocurrency mining, as seen with the Prometei botnet in April and the Lemon Duck botnet in May as well as DDoS attacks or the installation of second-stage payloads on infected devices.
At the same time, tech companies and law enforcement agencies alike are cracking down on botnet operations. These include disruption operations targeting Emotet, Necurs, Trickbot, and most recently, the Glupteba botnet, which was disrupted when Google took down servers used by the botnet and disabled more than 100 Google accounts associated with it.