Month: June 2023

Cybercriminals Exploit Chinese Surveillance Cameras for Profit

Cybercriminals Exploit Chinese Surveillance Cameras for Financial Gain

A multitude of surveillance cameras, numbering in the tens of thousands, have neglected to address a critical security vulnerability that has persisted for 11 months, consequently leaving numerous organizations susceptible to potential breaches.

Recent research findings reveal that a staggering 80,000 Hikvision surveillance cameras worldwide remain vulnerable to an 11-month-old flaw that enables command injection attacks.

Hikvision, an abbreviation for Hangzhou Hikvision Digital Technology, represents a Chinese government-owned enterprise specializing in the production of video surveillance equipment. Despite the Federal Communications Commission (FCC) denoting Hikvision as “an unacceptable risk to U.S. national security” in 2019, their clientele spans across more than 100 countries, including the United States.

In the autumn of the previous year, the discovery of a command injection vulnerability in Hikvision cameras prompted the assignment of the Common Vulnerabilities and Exposures (CVE) identifier CVE-2021-36260. This particular exploit received a critical severity rating of 9.8 out of 10 from the National Institute of Standards and Technology (NIST).

Alarming as it may be, even after nearly a year has elapsed since the exposure of this vulnerability, a substantial number of affected devices, exceeding 80,000 in quantity, remain unpatched. Disturbingly, researchers have unearthed multiple instances of hackers seeking to collaborate in exploiting the command injection flaw present in Hikvision cameras. These collaborative efforts have predominantly materialized within Russian dark web forums, where leaked credentials associated with the vulnerable devices have been offered for sale.

The full extent of the damage inflicted thus far remains uncertain. The authors of the report could merely speculate that various threat groups originating from China, such as MISSION2025/APT41, APT10, and their affiliates, alongside unidentified Russian threat actors, possess the potential to exploit the vulnerabilities present in these devices for their own objectives, which may include geopolitical considerations.

The Vulnerabilities Inherent in IoT Devices

When confronted with accounts such as this, it is tempting to attribute the negligence of individuals and organizations who fail to patch their software to mere laziness. However, the reality is often far more complex.

According to David Maynor, the senior director of threat intelligence at Cybrary, Hikvision cameras have remained vulnerable due to a multitude of factors, and this susceptibility has persisted for a considerable period. Maynor asserts that the products manufactured by Hikvision contain systemic vulnerabilities that are easily exploitable, or even worse, rely on default credentials. Furthermore, the absence of effective means to conduct forensic analysis or verify the complete removal of an attacker further compounds the security challenges. Significantly, no discernible indication of an enhanced security posture within Hikvision’s development cycle has been observed.

This problem transcends Hikvision alone, afflicting the entire industry. Paul Bischoff, a privacy advocate affiliated with Comparitech, emphasized the inherent difficulties in securing Internet of Things (IoT) devices such as cameras, noting that they do not possess the same ease of securing as applications on mobile phones. Unlike smartphones, which promptly notify users of available updates and often install them automatically upon reboot, IoT devices necessitate manual downloading and installation of updates, a task that many users overlook. Moreover, IoT devices frequently fail to provide any indications of being unsecured or outdated, further exacerbating the issue.

While unsuspecting users remain oblivious, cybercriminals can exploit vulnerable devices by scanning for them using search engines like Shodan or Censys. The problem is further compounded by users’ negligence, as Bischoff highlighted, due to the fact that Hikvision cameras are shipped with a limited set of predetermined passwords, and a significant number of users neglect to modify these default credentials.

How ‘Muddled Libra’ Cybercrime Group Exploits BPO Sector with Sophisticated Social Engineering Techniques

The BPO sector is currently under attack by a cybercrime group known as Muddled Libra, which employs sophisticated social engineering tactics to gain unauthorized access. These persistent attacks have raised concerns within the cybersecurity community.

Palo Alto Networks Unit 42, in a technical report, revealed that the emergence of the 0ktapus phishing kit in late 2022 introduced a new attack style associated with Muddled Libra. The kit provided a ready-made hosting framework and bundled templates, leading to its widespread adoption. The name “Libra” is used by the cybersecurity company to designate cybercrime groups, while the term “muddled” reflects the uncertainty surrounding the utilization of the 0ktapus framework.

The 0ktapus framework, also referred to as Scatter Swine, was initially discovered in August 2022 in connection with smishing attacks on numerous organizations, including Twilio and Cloudflare. CrowdStrike later disclosed a series of cyber assaults targeting telecom and BPO companies since June 2022. These attacks involved a combination of credential phishing and SIM swapping, and the cluster responsible for them is tracked under different names, such as Roasted 0ktapus, Scattered Spider, and UNC3944.

Kristopher Russo, a senior threat researcher, explained that Muddled Libra was named due to the perplexing landscape surrounding the 0ktapus phishing kit. He noted that while many threat actors have incorporated the kit into their arsenal, merely using it does not classify them as part of Muddled Libra, according to Unit 42’s classification.

The attacks initiated by this e-crime group employ smishing and the 0ktapus phishing kit to gain initial access. They typically culminate in data theft and the establishment of long-term persistence. Another notable characteristic is the group’s utilization of compromised infrastructure and stolen data to carry out subsequent attacks on the customers of their victims. In some instances, they even target the same victims repeatedly to replenish their dataset.

Unit 42, after investigating several Muddled Libra incidents from June 2022 to early 2023, described the group as relentless, methodical, and highly adaptable in their attack strategies. They swiftly adjust their tactics when faced with obstacles. Alongside using a variety of legitimate remote management tools to maintain persistent access, Muddled Libra tamper with endpoint security solutions to evade detection. They also exploit the fatigue caused by multi-factor authentication (MFA) notifications to steal credentials.

Furthermore, the threat actors have been observed gathering lists of employees, their job roles, and cellular phone numbers to execute smishing and prompt bombing attacks. If this approach fails, Muddled Libra actors resort to contacting the organization’s help desk, pretending to be the victims, in order to enroll a new MFA device under their control.

The researchers emphasized the notable success of Muddled Libra’s social engineering tactics. They have demonstrated a remarkable level of confidence when interacting with help desk personnel and other employees over the phone, successfully persuading them to engage in unsafe actions.

The attacks also involve the use of credential-stealing tools like Mimikatz and Raccoon Stealer to escalate privileges. Additionally, various scanners are employed for network discovery, enabling the extraction of data from platforms such as Confluence, Jira, Git, Elastic, Microsoft 365, and internal messaging systems.

Unit 42 speculated that the creators of the 0ktapus phishing kit do not possess the same advanced capabilities as Muddled Libra, and despite some similarities in their tradecraft, there is no definitive connection between the actor and UNC3944.

Powered by WordPress & Theme by Anders Norén