A recent botnet campaign using tens of thousands of CCTV devices took place on a global scale. The malware launches denial-of-service (DDoS) attacks against websites.
The information came out after web security firm Sucuri did an investigation of a private company. A jewelry shop enlisted the services of the security specialists. The results from the investigation were astounding. Layer 7 DDoS attacks peaked at almost 50,000 HTTP requests per second. They were able to last for a few days pursuant to the intervention.
The severity of the attack prompted a further research. Only then was it discovered that the hackers used CCTV devices. The researchers determined that the case of the jewelry store was part of a worldwide scheme. The hackers conducted attacks in a total of 100 countries. The most affected were Taiwan with 24% of all bots, the United States with 12%, Indonesia with 9%, Mexico with 8% and Malaysia with 6%. By tracing the bots, the security team located 25,000 unique IP addresses in the latter countries alone. 75% of all bots were located in the top ten countries on the list. The rest were scattered across the remaining territories.
The research showed that simpler devices were the preferred target. Almost 50% of the devices had a generic H.264 DVR logo. The following brands of CCTV devices were identified as pawns for the attacks: Provision ISR, Magtec, TechnoMate, Capture, Q-See, LCT, Novus, QuesTek and Elvox.
About 5% of the IPs came from the most recent version of the internet protocol, IPv6. Sucuri CTO and founder Daniel Cid predicted this trend to continue: “That’s a change we expect to keep happening as IPv6 becomes more popular.”
Sucuri noted the uniqueness of this particular attack. While the leverage of Internet of Things (IoT) devices for DDoS attacks is common, this case saw a limited arsenal of technology. CCTV devices were the sole means of conducting the attack.
The Sucuri technicians were not able to isolate the technology, used to compromise the CCTV devices. Another research from earlier this year may hold the answer.
Security expert Rotem Kerner made a report in March, documenting a remote code execution flaw. This vulnerability affected different types of surveillance cameras, sold by over 70 manufacturers. Mr. Kerner did a Shodan search to find vulnerable cameras. The results accounted for over 30,000 devices. Taking the unidentified cameras into account, the researcher said he estimates the total number to be much higher.
While a conclusion cannot be made, a statistical report backs up the theory of Mr. Kerner. All CCTV brands involved in the attack are in the list of the 70 vendors he mentioned in his report.