Attackers rope DVRs in bitcoin-mining botnet in record time
How long does it take for one out of the box digital video recorder to be compromised with malware once the device has been connected to the Internet? The unfortunate answer is just one day.
When, in early April, SANS ISC CTO Johannes Ullrich discovered that cybercrooks were targeting Hikvision DVRs and Synology Diskstations and infecting them with bitcoin-mining malware, he decided to do some testing.
“As part of my ‘IoT Honeypot Lab”, I started adding a DVR to see how long it took to get compromised. The DVR (EPCOM Hikvision S04 DVR) was installed ‘as purchased’ and port 23 was exposed to the internet,” he explained the set up.
It took next to not time for attackers to “find” the device by scanning the honeypot, and to attempt to brute force the password needed gain root access on the device.
“During the first day of the test, 13 different source IPs scanned our honeypot, 6 managed to log in using the default username and password (‘root’, ‘12345’),” he shared on Monday. “Only one of the attackers went beyond a simple ‘fingerprint’ of the honeypot.”
This one attacker ultimately managed to upload a bitcoin mining binary, in spite the fact that the device has no “upload” feature – no wget, an ftp or telnet client.
The attacker ultimately managed to pull the feat by using a script containing several “echo” commands to first upload wget, then use the latter to retrieve the bitcoin-mining malware.
Still, Ullrich believes that compromising devices such as this one will bring no joy to the attackers.
“Throughout the day, the server periodically pushes parameters to the miner, but I haven’t seen the miner return anything yet, which probably underscores the fact that these miners are pretty useless due to their weak CPUs,” he pointed out.
He also noted that the device did get infected multiple times, but that none of the attackers changed the default password or removed prior bitcoin miners.
Ullrich described the features of the DVR he used for the test, and it’s immediately obvious where most of the problem lies: poor security practices and firmware coded without any great thought about security.