Sucuri spotted a large botnet of CCTV devices involved in DDoS attacks

Security experts from Sucuri firm have discovered a large botnet of compromised CCTV devices used by crooks to launch DDoS attacks in the wild.

Researchers have encountered a denial-of-service botnet that’s made up of more than 25,000 Internet-connected closed circuit TV devices.

We discussed several times about the IoT and the lack security by design that makes smart objects a privileged target of hackers. The researchers from Sucuri Security firm have spotted a malicious botnet composed of more than 25,000 Internet-connected closed circuit TV devices (CCTV) that has been used in denial-of-service attacks.

The company was trying to repel a DDoS attack against a small brick-and-mortar jewelry shop that was hit by almost 35,000 HTTP requests per second. The volume of requests reached 50,000 HTTP requests per second after the company tried to mitigate the attack.

The DDoS attack continued for several days, the CCTV botnet used addresses located in more than 105 countries around the world.

“It is not new that attackers have been using IoT devices to start their DDoS campaigns, however, we have not analyzed one that leveraged only CCTV devices and was still able to generate this quantity of requests for so long.” explained Daniel Cid in a blog post. “As we extracted the geo-location from the IP addresses generating the DDoS, we noticed that they were coming from all over the world, different countries and networks. A total of 25,513 unique IP addresses came within a couple of hours. The source of the attack concentrated in Taiwan, with 24% of the IP address, followed by the USA with 12%, Indonesia with 9%, Mexico with 8% and Malaysia with 6%.”

The experts from Sucuri investigated a number of CCTV boxes involved in the DDoS attack and discovered that all of them were running the “Cross Web Server” and that the devices leveraged on a BusyBox. The BusyBox is a software that provides several Unix tools in a single executable file, it is specific embedded in operating systems, including CCTV. Many routers and other network appliances run the software to advantage maintenance activities. In November 2014, experts from Trend Micro spotted a new variant of the BASHLITE malware exploiting the ShellShock vulnerability to infect devices that were using the BusyBox software.

“As we dug deeper into each of these IP addresses, we learned that all of them were running the “Cross Web Server” and had a similar default HTTP page with the “DVR Components” title.

$ curl -sD - 122.116.xx.xx | head -n 10
 HTTP/1.1 200 OK
 Server:Cross Web Server
 Content-length: 3233
 Content-type: text/html

<title>DVR Components Download</title>

This is what raised our suspicious of a IoT botnet that was leveraging some CCTVs as part of the attack. As we kept looking, we found the company logos from the resellers and manufactures on all IP addresses.” continues the analysis.

The experts noticed that to make it harder to neutralize the DDoS attack, the CCTV had been programmed to emulate normal browser behavior by displaying a variety of common user agents including the ones associated with the most popular browsers:

• User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_4) AppleWebKit/534.57.5 (KHTML, like Gecko) Version/5.1.7 Safari/534.57.4
• User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5
• User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)

The CCTV devices belonging to the botnet also displayed “referrers” showing they had most recently visited sites including Engadget, Google, and USA Today.

How Did crooks recruit the CCTV devices?

It is likely they exploited a recently disclosed vulnerability that allows remote code execution on digital video recorders from 70 different manufacturers.

It isn’t the first time that experts found IoT botnet in the wild. Security experts at Imperva’s Incapsula raised a first warn about closed-circuit television (CCTV) botnet attacks in March 2014, explaining that crooks could exploit the lack of security by design and incorrect configurations. For example, it is quite easy to find online specific models of CCTV cameras working with factory settings, including well-known passwords.

One year later Imperva published a new post on the topic revealing that CCTV cameras have been abused to run a major DDoS attack that peaked at 20,000 requests per second. The experts explained that threat actors behind the attack relied on nearly 900 CCTV cameras running embedded versions of Linux and the BusyBox toolkit.

“Not surprising, given that CCTV cameras are among the most common IoT devices. Reports show that in 2014, there were 245 million surveillance cameras operating around the world” states a blog post from the company. ”

“Still, old foes have the capacity to surprise, as we were recently reminded, when one of our clients was targeted by repeated HTTP flood attacks. The attack was run of the mill, peaking at 20,000 requests per second (RPS). The surprise came later when, upon combing through the list of attacking IPs, we discovered that some of the botnet devices were located right in our own back yard.”

The experts that analyzed the compromised CCTV cameras confirmed that most of them were accessed via their default login credentials.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – CCTV cameras, cybercrime)