25,000-strong CCTV botnet used for crippling DDoS attacks

A DDoS attack against a jewelry shop website has lead researchers to the discovery of a CCTV botnet comprised of some 25,000 cameras from around the globe.

The website had been repeatedly attacked, first with 35,000 HTTP requests per second and then, when those efforts were thwarted, with 50,000 HTTP requests per second.

Looking into the IP addresses from which the attack was coming from, Sucuri researchers discovered that all of them were running the ‘Cross Web Server’ and had a similar default HTTP page with the ‘DVR Components’ title. After digging some more, they discovered company logos from the resellers and manufactures on all the IP addresses.

CCTV botnet vendor distribution

“The majority had the default H.264 DVR [stand alone DVR] logos, but the others had modified branding to match the company that built or sold it. All these devices are BusyBox based,” they found.

One theory, still unconfirmed, about how the attackers managed to rope these devices into a botnet is that they were hacked via a recently disclosed RCE vulnerability in CCTV-DVRs.

Another interesting discovery was that the compromised cameras are able to emulate normal behavior of most popular browsers, in an attempt to make it more difficult for defenders to identify and block the malicious requests.

The compromised CCTV cameras are located in Taiwan, USA, Indonesia, Mexico, Malysia, Israel, Italy, and so on.

The researchers have been reaching out to networks on which the cameras are located, trying to get admins to clean them up, patch them, and isolate them from the Internet. Still, they are aware that the botnet herders will easily find other cameras – and other vulnerable IoT devices – to rope into their malicious network.

“It is not new that attackers have been using IoT devices to start their DDoS campaigns, however, we have not analyzed one that leveraged only CCTV devices and was still able to generate this quantity of requests for so long,” Sucuri CTO Daniel Cid pointed out.

Some IoT botnets are used for other things, like Bitcoin mining.

Security flaws, misconfiguration, and pure and simple ignorance about the dangers of keeping IoT devices connected to the Internet while unsecured is what will keep these botnets functioning for years to come.