HomesecurityMoobot botnet spreads vulnerability to Hikvision cameras

Moobot botnet spreads vulnerability to Hikvision cameras

A Mirai-based botnet called "Moobot" spreads aggressively by exploiting a critical command injection defect in the multi-product webserver webserver.

Moobot botnet

See also: Google is taking steps to "stop" the Glupteba botnet

Hikvision is a Chinese state-owned manufacturer of cameras and surveillance equipment that has been sanctioned by the US government for human rights violations.

This vulnerability is monitored as CVE-2021-36260 and can be remotely exploited by sending specially generated messages containing malicious commands.

Hikvision fixed the bug in September 2021 with a firmware update (v 210628), but not all users were in a hurry to apply the security update.

Fortinet reports that Moobot is exploiting this flaw to compromise unpatched devices and extract sensitive data from victims.

The infection process

The exploitation of the defect is quite simple, as it does not require authentication and can be activated by sending a message to a vulnerable device that is exposed in public.

Among the various payloads that utilize the CVE-2021-36260, Fortinet found a download program covered as "macHelper", which retrieves and executes Moobot with the "hikivision" parameter.

The malware also modifies basic commands such as "reboot" so that they do not work properly and will prevent Admin restart the compromised device.

Fortinet analysts have identified several similarities between Moobot and Mirai.

See also: Botnet EwDoor: Targets AT&T network devices to US companies

In addition, Moobot includes some elements from Satori, a different variant of Mirai whose author was arrested and convicted in the summer of 2020.

It is important to note that this is not the first time Moobot has been detected, as researchers at Unit 42 first discovered it in February 2021.

However, the fact that the botnet is still adding new CVEs shows that it is actively developing and enriching with new targeting capabilities.

Moobot botnet

Moobot's goal is to integrate the compromised device into DDoS.

C2 sends a SYN flood command along with the targeted IP address and port number to attack.

Other commands that the C2 server can send include 0x06 for UDP flood, 0x04 for ACK flood and 0x05 for ACK + PUSH flood.

Examining the packet data collected, Fortinet was able to identify a Telegram channel that started offering DDoS services last August.

See also: School for hackers: Criminals teach botnet lessons

The registration of your device in "DDoS swarms" results in increased power consumption, accelerated wear and forces the device to not respond.

The best way to protect your IoT devices from botnet is to apply the available security updates as soon as possible and replace the default ones. credentials with strong passwords.

Source of information:

Teo Ehc
Be the limited edition.