As cyber researchers, we are doing our bit for the community of developers and deployers by writing about relevant recent vulnerability exploits. We have recently thought about adding scanning functionality so you can immediately search and check your own devices as well as see how many such devices are affected worldwide, using open sources. Do feed back and let us know what you think.
We recently published about the DaHua DVR RPC exploit. Here is the latest one, indirectly related to the Mirai botnet attacks in 2016.
Almost a year ago, in March 2016, Rotem Kerner from RSA Security spotted that computers affected by another malware had acquired an additional web server which provides access to DVR devices manufactured by a Chinese company TVT Digital. These devices are white labels that are sold worldwide by 70 different vendors under separate brand names. Krener also discovered TVT software vulnerabilities that allowed an attacker to execute practically any command remotely. According to Kerner, his attempts to contact TVT were in vain and the manufacturer did not take measures to patch the goods.
Barely 6 months later, criminals were exploiting vulnerabilities in up to hundreds of thousands of connected devices by this manufacturer. The culmination came in October 2016 when TVT devices were among ones used as IOT agent devices used to launch DDoS attacks by Mirai malware.
Fast forward to April 2017, Palo Alto Networks informs that TVT Digital devices are under renewed attack by a different malware called Amnesia. It attacks IOT and Linus devices to launch DDOS attacks. Amnesia’s enhanced capabilities explain its name - it can “learn” when it s being hunted and in response can self-destruct taking down the whole system with it. There are between 50k-700k IOT devices vulnerable to such attacks.
What can be done to defend yourself? Deny connections from any unknown IP address to your remote connected devices such as CCTV equipment.