Security Affairs
Australia Alerts Organizations to Ongoing CMS Exploitation Attacks|Ryuk Ransomware Member Pleads Guilty Over Attacks on U.S. Organizations|Progress Told ShareFile Customers to Pull the Plug on Their Servers. Here’s What We Know.|SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 105|Security Affairs newsletter Round 585 by Pierluigi Paganini – INTERNATIONAL EDITION|U.S. CISA adds iCagenda and Balbooa Forms flaws to its Known Exploited Vulnerabilities catalog|Critical U-Boot Bugs Undermine Secure Boot on Millions of Devices|Update Now: Critical Zimbra Classic Web Client Flaw Could Expose Mailboxes|Ransomware Never Stopped: Over 9,000 Confirmed Attacks Since 2018|222 GitHub Repositories Linked to Fake Go Package Malware Operation|Former Ransomware Negotiator Sentenced to 70 Months in Prison for Secretly Helping BlackCat Gang|GigaWiper Merges Three Malware Families Into One Destructive Backdoor|Australia Alerts Organizations to Ongoing CMS Exploitation Attacks|Ryuk Ransomware Member Pleads Guilty Over Attacks on U.S. Organizations|Progress Told ShareFile Customers to Pull the Plug on Their Servers. Here’s What We Know.|SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 105|Security Affairs newsletter Round 585 by Pierluigi Paganini – INTERNATIONAL EDITION|U.S. CISA adds iCagenda and Balbooa Forms flaws to its Known Exploited Vulnerabilities catalog|Critical U-Boot Bugs Undermine Secure Boot on Millions of Devices|Update Now: Critical Zimbra Classic Web Client Flaw Could Expose Mailboxes|Ransomware Never Stopped: Over 9,000 Confirmed Attacks Since 2018|222 GitHub Repositories Linked to Fake Go Package Malware Operation|Former Ransomware Negotiator Sentenced to 70 Months in Prison for Secretly Helping BlackCat Gang|GigaWiper Merges Three Malware Families Into One Destructive Backdoor|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Moobot botnet spreads by exploiting CVE-2021-36260 flaw in Hikvision products

Moobot is a Mirai-based botnet that is leveraging a critical command injection vulnerability in the webserver of some Hikvision products. The Mirai-based Moobot botnet is rapidly spreading by exploiting a critical command injection flaw, tracked as CVE-2021-36260, in the webserver of several Hikvision products. The Moobot was first documented by Palo Alto Unit 42 researchers […]

hikvision moobot attack 2

Moobot is a Mirai-based botnet that is leveraging a critical command injection vulnerability in the webserver of some Hikvision products.

The Mirai-based Moobot botnet is rapidly spreading by exploiting a critical command injection flaw, tracked as CVE-2021-36260, in the webserver of several Hikvision products. The Moobot was first documented by Palo Alto Unit 42 researchers in February 2021, the recent attacks demonstrated that its authors are enhancing their malware.

The critical issue affects more than 70 Hikvision camera and NVR models and can allow attackers to take over the devices. The vulnerability is an unauthenticated Remote Code Execution (RCE) vulnerability in Hikvision IP camera/NVR firmware, it was discovered by a security researcher that goes online with the moniker “Watchful IP.”

Upon compromising the IP camera, an attacker can also use the hacked device to access internal networks posing a risk to the infrastructure that uses the devices.

The researcher pointed out that the exploitation of the issue doesn’t require user interaction, the attacker only needs access to the http(s) server port (typically 80/443).

The expert pointed out that every firmware developed since 2016 has been tested and found to be vulnerable.

According to Hikvision, the vulnerability is due to insufficient input validation and can be exploited by sending specially crafted messages to vulnerable devices.

The company states that the attacker can exploit the flaw only if he has access to the device network or the device has direct interface with the Internet. The vulnerability was reported to the vendor in June, the company released firmware updates on September 19.

The vulnerability was exploited by botnet operators to extract sensitive data from unpatched devices, Fortinet researchers reported.

“During our analysis, we observed numerous payloads attempting to leverage this vulnerability to probing the status of devices or extracting sensitive data from victims. One payload in particular caught our attention. It tries to drop a downloader that exhibits infection behavior and that also executes Moobot, which is a DDoS botnet based on Mirai.” reads the analysis published by Fortinet.

Moobot Hikvision exploit

Fortinet researchers spotted a downloader for the Moobot malware with the “hikivision” parameter, it saves final payload as “macHelper.”

The malware also modifies basic commands like “reboot” to prevent an administrator from rebooting the infected device. 

Fortinet researchers found similarities between Moobot and Mirai, they also discovered that Moobot borrows some elements from the Satori botnet.

Moobot is a DDoS botnet that supports multiple attack methods.

hikvision moobot attack 2

The analysis of captured packet data, allowed Fortinet researchers to track down a Telegram channel used to advertise DDoS services since August.

“Although a patch has been released to address this vulnerability, this IoT botnet will never stop looking for a vulnerable end point. Because of this, users should upgrade affected devices immediately as well as apply FortiGuard protection.” concludes Fortinet.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, botnet)

[adrotate banner=”5″]

[adrotate banner=”13″]