Researchers from web security firm have discovered that poorly configured CCTV devices such as security cameras, DVRs and NVRs were acting as launch pads for distributed denial of service (DDoS) attacks against enterprise websites.
Sucuri, a web security firm has found out in its research that more than 25,000 CCTV devices were acting as botnets to DDoS attacks against enterprises. For instance, one of the customers website of Sucuri were targeted with about 50,000 HTTP requests per second at its peak, targeting what specialists call the application layer, or layer 7. Such attacks could easily cripple any website because the infrastructure typically provisioned for such websites can handle only a few hundred or thousand connections at the same time.
The researchers confirmed that the traffic was mostly coming from CCTV devices such as DVRs—because most of them responded to HTTP requests with a page entitled “DVR Components Download”.
Around half of the devices displayed a generic H.264 DVR logo on the page, while others had more specific branding such as ProvisionISR, QSee, QuesTek, TechnoMate, LCT CCTV, Capture CCTV, Elvox, Novus, and MagTec CCTV.
Kaspersky research on the same issue says that the botnet seems to have a global distribution, but the countries with the largest number of compromised devices are Taiwan (24 percent), the U.S. (16 percent), Indonesia (9 percent), Mexico (8 percent), Malaysia (6 percent), Israel (5 percent), and Italy (5 percent). The Russian security firm said that DVRs are not the only ones which are acting as platforms for DDoS. But the security firm has discovered that security cameras from more than 70 vendors were also acting as source to DDoS.
The researchers say that cyber criminals are using networked devices like security cameras and DVRs installed in enterprise to invade enterprise networks and are using the same medium to replace web pages. The company revealed one of the experiences of its customers as an example for this activity.
In early 2016, Kaspersky was approached by a customer who learnt that all her company’s data security was compromised. When a probe was launched by the security researchers of the said company, it was found that the hackers invaded the network through IP cameras and then started to take hold of all the enterprise info on a gradual note for two months.
The company’s IT professionals were unaware of what was happening behind them and as a result the cyber criminals got hold of around 450GB of critical data and started to demand a ransom in return of a decryption key. The money lending financial firm had no other choice except to pay the criminals the said money and get back their data. And fortunately the criminals returned the decryption key as promised when they received the said ransom. Remember, this never happens all the time as you cannot be lucky always.
Unfortunately, there’s not much that the owners of CCTV DVRs can do because vendors rarely patch identified vulnerabilities, especially in older devices. A good practice would be to avoid exposing these devices directly to the Internet by placing them behind a router or firewall. If remote management or monitoring is needed, users should consider deploying a VPN (virtual private network) that allows them to connect inside the local network first and then to access their DVR.