FortiGuard Labs Threat Research Report
Affected platforms: Hikvision Product
Impact parties: IP Cam/NVR
Impact: Attacker can exploit the vulnerability to launch a command injection attack by sending some messages with malicious commands in the web server
Last September 18th, a threat researcher released a write-upabout a remote code execution vulnerability that affects various products from Hikvision, one of the largest video surveillance brands in the world. Hikvision is a CVE CNA and quickly assigned the CVE number, CVE-2021-36260 and released a patch for the vulnerability on the same day as the threat researcher's disclosure. Shortly after, FortiGuard Labs developed an IPS signature to address it.
During our analysis, we observed numerous payloads attempting to leverage this vulnerability to probing the status of devices or extracting sensitive data from victims. One payload in particular caught our attention. It tries to drop a downloader that exhibits infection behavior and that also executes Moobot, which is a DDoS botnet based on Mirai. In this blog we explain how an attacker delivers this payload through the Hikvision vulnerability, along with details of the botnet.
Stage 0 - Exploitation and Propagation
CVE-2021-36260 results from insufficient input validation, allowing unauthenticated users to inject malicious content into a tag to trigger a command injection attack on a Hikvision product. Below is an example of a request leveraging this exploit:
Fortinet Inc. published this content on 06 December 2021 and is solely responsible for the information contained therein. Distributed by Public, unedited and unaltered, on 06 December 2021 18:01:07 UTC.