• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

Russia-linked APT Secret Blizzard targets foreign embassies in Moscow with ApolloShadow malware

 | 

Dahua Camera flaws allow remote hacking. Update firmware now

 | 

Researchers released a decryptor for the FunkSec ransomware

 | 

Apple fixed a zero-day exploited in attacks against Google Chrome users

 | 

PyPI maintainers alert users to email verification phishing attack

 | 

FBI seizes 20 BTC from Chaos Ransomware affiliate targeting Texas firms

 | 

Critical SAP flaw exploited to launch Auto-Color Malware attack on U.S. company

 | 

Orange reports major cyberattack, warns of service disruptions

 | 

Hackers leak images and comments from women dating safety app Tea

 | 

Pro-Ukraine hacktivists claim cyberattack on Russian Airline Aeroflot that caused the cancellation of +100 flights

 | 

Seychelles Commercial Bank Reported Cybersecurity Incident

 | 

Microsoft uncovers macOS flaw allowing bypass TCC protections and exposing sensitive data

 | 

U.S. CISA adds Cisco ISE and PaperCut NG/MF flaws to its Known Exploited Vulnerabilities catalog

 | 

Critical WordPress Post SMTP plugin flaw exposes 200K+ sites to full takeover

 | 

Scattered Spider targets VMware ESXi in using social engineering

 | 

China-linked group Fire Ant exploits VMware and F5 flaws since early 2025

 | 

Allianz Life data breach exposed the data of most of its 1.4M customers

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 55

 | 

Security Affairs newsletter Round 534 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

Law enforcement operations seized BlackSuit ransomware gang’s darknet sites

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Cyber Crime
  • Hacking
  • Internet of Things
  • Sucuri spotted a large botnet of CCTV devices involved in DDoS attacks

Sucuri spotted a large botnet of CCTV devices involved in DDoS attacks

Pierluigi Paganini June 28, 2016

Security experts from Sucuri firm have discovered a large botnet of compromised CCTV devices used by crooks to launch DDoS attacks in the wild.

Researchers have encountered a denial-of-service botnet that’s made up of more than 25,000 Internet-connected closed circuit TV devices.

We discussed several times about the IoT and the lack security by design that makes smart objects a privileged target of hackers. The researchers from Sucuri Security firm have spotted a malicious botnet composed of more than 25,000 Internet-connected closed circuit TV devices (CCTV) that has been used in denial-of-service attacks.

The company was trying to repel a DDoS attack against a small brick-and-mortar jewelry shop that was hit by almost 35,000 HTTP requests per second. The volume of requests reached 50,000 HTTP requests per second after the company tried to mitigate the attack.

The DDoS attack continued for several days, the CCTV botnet used addresses located in more than 105 countries around the world.

“It is not new that attackers have been using IoT devices to start their DDoS campaigns, however, we have not analyzed one that leveraged only CCTV devices and was still able to generate this quantity of requests for so long.” explained Daniel Cid in a blog post. “As we extracted the geo-location from the IP addresses generating the DDoS, we noticed that they were coming from all over the world, different countries and networks. A total of 25,513 unique IP addresses came within a couple of hours. The source of the attack concentrated in Taiwan, with 24% of the IP address, followed by the USA with 12%, Indonesia with 9%, Mexico with 8% and Malaysia with 6%.”

CCTV botnet IoT

The experts from Sucuri investigated a number of CCTV boxes involved in the DDoS attack and discovered that all of them were running the “Cross Web Server” and that the devices leveraged on a BusyBox. The BusyBox is a software that provides several Unix tools in a single executable file, it is specific embedded in operating systems, including CCTV. Many routers and other network appliances run the software to advantage maintenance activities. In November 2014, experts from Trend Micro spotted a new variant of the BASHLITE malware exploiting the ShellShock vulnerability to infect devices that were using the BusyBox software.

“As we dug deeper into each of these IP addresses, we learned that all of them were running the “Cross Web Server” and had a similar default HTTP page with the “DVR Components” title.

$ curl -sD - 122.116.xx.xx | head -n 10
 HTTP/1.1 200 OK
 Server:Cross Web Server
 Content-length: 3233
 Content-type: text/html

<title>DVR Components Download</title>

This is what raised our suspicious of a IoT botnet that was leveraging some CCTVs as part of the attack. As we kept looking, we found the company logos from the resellers and manufactures on all IP addresses.” continues the analysis.

The experts noticed that to make it harder to neutralize the DDoS attack, the CCTV had been programmed to emulate normal browser behavior by displaying a variety of common user agents including the ones associated with the most popular browsers:

  • User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_4) AppleWebKit/534.57.5 (KHTML, like Gecko) Version/5.1.7 Safari/534.57.4
  • User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5
  • User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)

The CCTV devices belonging to the botnet also displayed “referrers” showing they had most recently visited sites including Engadget, Google, and USA Today.

How Did crooks recruit the CCTV devices?

It is likely they exploited a recently disclosed vulnerability that allows remote code execution on digital video recorders from 70 different manufacturers.

It isn’t the first time that experts found IoT botnet in the wild. Security experts at Imperva’s Incapsula raised a first warn about closed-circuit television (CCTV) botnet attacks in March 2014, explaining that crooks could exploit the lack of security by design and incorrect configurations. For example, it is quite easy to find online specific models of CCTV cameras working with factory settings, including well-known passwords.

One year later Imperva published a new post on the topic revealing that CCTV cameras have been abused to run a major DDoS attack that peaked at 20,000 requests per second. The experts explained that threat actors behind the attack relied on nearly 900 CCTV cameras running embedded versions of Linux and the BusyBox toolkit.

“Not surprising, given that CCTV cameras are among the most common IoT devices. Reports show that in 2014, there were 245 million surveillance cameras operating around the world” states a blog post from the company. ”

“Still, old foes have the capacity to surprise, as we were recently reminded, when one of our clients was targeted by repeated HTTP flood attacks. The attack was run of the mill, peaking at 20,000 requests per second (RPS). The surprise came later when, upon combing through the list of attacking IPs, we discovered that some of the botnet devices were located right in our own back yard.”

The experts that analyzed the compromised CCTV cameras confirmed that most of them were accessed via their default login credentials.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – CCTV cameras, cybercrime)


facebook linkedin twitter

botnet CCTV cameras Cybercrime IoT

you might also like

Pierluigi Paganini July 31, 2025
Russia-linked APT Secret Blizzard targets foreign embassies in Moscow with ApolloShadow malware
Read more
Pierluigi Paganini July 31, 2025
Attackers actively exploit critical zero-day in Alone WordPress Theme
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    Russia-linked APT Secret Blizzard targets foreign embassies in Moscow with ApolloShadow malware

    APT / July 31, 2025

    Dahua Camera flaws allow remote hacking. Update firmware now

    Hacking / July 31, 2025

    Researchers released a decryptor for the FunkSec ransomware

    Malware / July 31, 2025

    Apple fixed a zero-day exploited in attacks against Google Chrome users

    Security / July 30, 2025

    PyPI maintainers alert users to email verification phishing attack

    Hacking / July 30, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT