• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

Security Affairs newsletter Round 532 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

McDonald’s job app exposes data of 64 Million applicants

 | 

Athlete or Hacker? Russian basketball player accused in U.S. ransomware case

 | 

U.S. CISA adds Citrix NetScaler ADC and Gateway flaw to its Known Exploited Vulnerabilities catalog

 | 

UK NCA arrested four people over M&S, Co-op cyberattacks

 | 

PerfektBlue Bluetooth attack allows hacking infotainment systems of Mercedes, Volkswagen, and Skoda

 | 

Qantas data breach impacted 5.7 million individuals

 | 

DoNot APT is expanding scope targeting European foreign ministries

 | 

Nippon Steel Solutions suffered a data breach following a zero-day attack

 | 

Iranian group Pay2Key.I2P ramps Up ransomware attacks against Israel and US with incentives for affiliates

 | 

Hackers weaponize Shellter red teaming tool to spread infostealers

 | 

Microsoft Patch Tuesday security updates for July 2025 fixed a zero-day

 | 

Italian police arrested a Chinese national suspected of cyberespionage on a U.S. warrant

 | 

U.S. CISA adds MRLG, PHPMailer, Rails Ruby on Rails, and Synacor Zimbra Collaboration Suite flaws to its Known Exploited Vulnerabilities catalog

 | 

IT Worker arrested for selling access in $100M PIX cyber heist

 | 

New Batavia spyware targets Russian industrial enterprises

 | 

Taiwan flags security risks in popular Chinese apps after official probe

 | 

U.S. CISA adds Google Chromium V8 flaw to its Known Exploited Vulnerabilities catalog

 | 

Hunters International ransomware gang shuts down and offers free decryption keys to all victims

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 52

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Cyber Crime
  • Hacking
  • Internet of Things
  • Sucuri spotted a large botnet of CCTV devices involved in DDoS attacks

Sucuri spotted a large botnet of CCTV devices involved in DDoS attacks

Pierluigi Paganini June 28, 2016

Security experts from Sucuri firm have discovered a large botnet of compromised CCTV devices used by crooks to launch DDoS attacks in the wild.

Researchers have encountered a denial-of-service botnet that’s made up of more than 25,000 Internet-connected closed circuit TV devices.

We discussed several times about the IoT and the lack security by design that makes smart objects a privileged target of hackers. The researchers from Sucuri Security firm have spotted a malicious botnet composed of more than 25,000 Internet-connected closed circuit TV devices (CCTV) that has been used in denial-of-service attacks.

The company was trying to repel a DDoS attack against a small brick-and-mortar jewelry shop that was hit by almost 35,000 HTTP requests per second. The volume of requests reached 50,000 HTTP requests per second after the company tried to mitigate the attack.

The DDoS attack continued for several days, the CCTV botnet used addresses located in more than 105 countries around the world.

“It is not new that attackers have been using IoT devices to start their DDoS campaigns, however, we have not analyzed one that leveraged only CCTV devices and was still able to generate this quantity of requests for so long.” explained Daniel Cid in a blog post. “As we extracted the geo-location from the IP addresses generating the DDoS, we noticed that they were coming from all over the world, different countries and networks. A total of 25,513 unique IP addresses came within a couple of hours. The source of the attack concentrated in Taiwan, with 24% of the IP address, followed by the USA with 12%, Indonesia with 9%, Mexico with 8% and Malaysia with 6%.”

CCTV botnet IoT

The experts from Sucuri investigated a number of CCTV boxes involved in the DDoS attack and discovered that all of them were running the “Cross Web Server” and that the devices leveraged on a BusyBox. The BusyBox is a software that provides several Unix tools in a single executable file, it is specific embedded in operating systems, including CCTV. Many routers and other network appliances run the software to advantage maintenance activities. In November 2014, experts from Trend Micro spotted a new variant of the BASHLITE malware exploiting the ShellShock vulnerability to infect devices that were using the BusyBox software.

“As we dug deeper into each of these IP addresses, we learned that all of them were running the “Cross Web Server” and had a similar default HTTP page with the “DVR Components” title.

$ curl -sD - 122.116.xx.xx | head -n 10
 HTTP/1.1 200 OK
 Server:Cross Web Server
 Content-length: 3233
 Content-type: text/html

<title>DVR Components Download</title>

This is what raised our suspicious of a IoT botnet that was leveraging some CCTVs as part of the attack. As we kept looking, we found the company logos from the resellers and manufactures on all IP addresses.” continues the analysis.

The experts noticed that to make it harder to neutralize the DDoS attack, the CCTV had been programmed to emulate normal browser behavior by displaying a variety of common user agents including the ones associated with the most popular browsers:

  • User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_4) AppleWebKit/534.57.5 (KHTML, like Gecko) Version/5.1.7 Safari/534.57.4
  • User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5
  • User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)

The CCTV devices belonging to the botnet also displayed “referrers” showing they had most recently visited sites including Engadget, Google, and USA Today.

How Did crooks recruit the CCTV devices?

It is likely they exploited a recently disclosed vulnerability that allows remote code execution on digital video recorders from 70 different manufacturers.

It isn’t the first time that experts found IoT botnet in the wild. Security experts at Imperva’s Incapsula raised a first warn about closed-circuit television (CCTV) botnet attacks in March 2014, explaining that crooks could exploit the lack of security by design and incorrect configurations. For example, it is quite easy to find online specific models of CCTV cameras working with factory settings, including well-known passwords.

One year later Imperva published a new post on the topic revealing that CCTV cameras have been abused to run a major DDoS attack that peaked at 20,000 requests per second. The experts explained that threat actors behind the attack relied on nearly 900 CCTV cameras running embedded versions of Linux and the BusyBox toolkit.

“Not surprising, given that CCTV cameras are among the most common IoT devices. Reports show that in 2014, there were 245 million surveillance cameras operating around the world” states a blog post from the company. ”

“Still, old foes have the capacity to surprise, as we were recently reminded, when one of our clients was targeted by repeated HTTP flood attacks. The attack was run of the mill, peaking at 20,000 requests per second (RPS). The surprise came later when, upon combing through the list of attacking IPs, we discovered that some of the botnet devices were located right in our own back yard.”

The experts that analyzed the compromised CCTV cameras confirmed that most of them were accessed via their default login credentials.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – CCTV cameras, cybercrime)


facebook linkedin twitter

botnet CCTV cameras Cybercrime IoT

you might also like

Pierluigi Paganini July 13, 2025
Security Affairs newsletter Round 532 by Pierluigi Paganini – INTERNATIONAL EDITION
Read more
Pierluigi Paganini July 12, 2025
McDonald’s job app exposes data of 64 Million applicants
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    Security Affairs newsletter Round 532 by Pierluigi Paganini – INTERNATIONAL EDITION

    Breaking News / July 13, 2025

    McDonald’s job app exposes data of 64 Million applicants

    Hacking / July 12, 2025

    Athlete or Hacker? Russian basketball player accused in U.S. ransomware case

    Cyber Crime / July 11, 2025

    U.S. CISA adds Citrix NetScaler ADC and Gateway flaw to its Known Exploited Vulnerabilities catalog

    Hacking / July 11, 2025

    UK NCA arrested four people over M&S, Co-op cyberattacks

    Cyber Crime / July 10, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT