CCTV cameras worldwide used in DDoS attacks

[Note:  This item comes from friend Bob Frankston.  DLH]

From: “Bob Frankston” <>
Date: October 26, 2015 at 8:52:17 AM PDT
Subject: CCTV cameras worldwide used in DDoS attacks | ZDNet notsp

Again … the real message is not in the particular vulnerability of reusing credentials. It’s a reminder that it’s going to take a while to evolve this new landscape of connected things. In the meantime, we need to learn to survive such problems rather focusing on preventing and trying to put a wall between good and evil.

CCTV cameras worldwide used in DDoS attacks
Over 900 CCTV cameras have been enlisted as slaves in a botnet thanks to default credentials.
By Charlie Osborne for Zero Day
Oct 26 2015

Over 900 CCTV cameras have become slaves in a global botnet used to disrupt online services, researchers have discovered.

In the past year, we’ve seen refrigerators being hacked, Jeeps being remotely controlled by attackers while the driver is a helpless passenger, and everything from baby monitors to routers being criticized for poor security which can place not only our Internet of Things (IoT) devices at risk, but our personal privacy and security.

There are approximately 240 million surveillance cameras in use worldwide — counting only those which have been professionally logged and installed. Unfortunately, if default settings are left in place and forgotten about, surveillance cameras can become an easy target for cyberattackers setting up or empowering botnets — networks of slave systems which can flood Internet services with traffic after directions from a master controller, resulting in denial-of-service for legitimate traffic.

According to Incapsula’s research team, CCTV cameras are a common element of IoT-based botnets. In March last year, Incapsula discovered a 240 percent surge in botnet activity across the firm’s network — and much of this uptake was placed at the feet of enslaved CCTV cameras across the globe.

Now, a fresh attack is poised to disrupt online services. First discovered when investigating a HTTP Get Flood attack — a type of distributed denial-of-service (DDoS) campaign — which peaked at around 20,000 requests per second, the researchers found that within the list of attacking IPs, many of them belonging to CCTV cameras.

Traffic was able to surge through these connected devices due to installers failing to change default credentials in order to protect the cameras from infiltration.

All of the compromised devices were running BusyBox, a lightweight Unix utility bundle designed for systems with limited resources. Once an attacker gained access to a camera through the default credentials, they installed a variation of the ELF Bashlite malware, a type of malicious code which scans for network devices running BusyBox.

If devices are discovered, the malware then searches for open Telnet/SSH services which are susceptible to brute force dictionary attacks. This particular variant, however, was also equipped with the power to launch DDoS attacks.

A map of all the hacked CCTV cameras involved in DDoS attacks is below:


Comments closed.

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s