1 million webcams infected with the BASHLITE worm and are used for DDoS attacks



    More than a million Internet-connected video cameras and DVRs have been compromised and are part of the botnet that its creators use to conduct DDoS attacks. This was reported by researchers from Level 3 Threat Research Labs. According to them, the attackers use a family of malicious software, which is known as Lizkebab, BASHLITE, Torlus and Gafgyt - hackers managed to infect about a million devices in different countries.

    Security experts conducted research on well-known botnets, and they found out during the work that the BASHLITE worm is associated with some of the most organized and well-structured ones. At the same time, the size of botnets could change from week to week — the researchers recorded interactions of BASHLITE software with 74 bots, and after a few days they could already be 120,000. In particular, they managed to detect a large botnet that used about 100 command servers — this system carried out up to 1000 DDoS attacks per day, many of them lasted 5 minutes or less.

    According to researchers, about 1 million IoT devices are infected with BASHLITE, of which approximately 96% are cameras and video surveillance systems (DVRs). A significant part of the devices is located in Taiwan, Brazil and Colombia.

    image

    Geographic distribution of attacks.

    At the same time, it is most often the surveillance systems that are most interested in attackers - it’s easy for them to take control of them, because very often Telnet services are not disabled on them, and web interfaces are accessible from the Internet with standard logins and passwords.

    A significant part of infected IoT devices has been released by several companies, one of them is Dahua Technology. According to researchers from Level 3, vendors are already preparing patches to close vulnerabilities that are used by BASHLITE software.

    This is not the first time that camcorders connected to the Internet are attacked and combined into botnets. Earlier this year, researchers at Sucuri discovered a botnet of 25,000 Internet-connected video surveillance devices. In addition, a botnet for DDoS attacks, consisting of infected webcams, was found by specialists from Arbor's Security Engineering and Response Team (ASERT).

    Critical vulnerabilities in popular firmware for DVR-devices foundalso researchers from Positive Technologies. Among the errors is the standard superuser password, which cannot be changed due to its storage features, open service ports and multiple vulnerabilities in the software of the DVR device, which open an attacker access to the system. In addition, experts discovered the so-called master password, which goes to the account of any user of the system and opens access to the video surveillance device with maximum privileges. This password is the same for all DVR devices running this software and cannot be changed by the user.

    Devices using vulnerable software are sold under dozens of brands around the world. At the same time, manufacturers often completely copy vulnerable software and use it in their own developments without change. Moreover, they probably do not have access to the source code of the initial system containing vulnerabilities, which deprives them of the opportunity to fix security errors.

    According to experts of Positive Technologies, the share of these systems is more than 90% of the market segment for devices of this class. Such devices are used in security systems mainly by small and medium-sized businesses, as well as by individuals (for example, in order to look after their apartment via the Internet). A large number of vulnerable systems can be found on the Internet using conventional search engines. At the time the vulnerability was found in the firmware, search engines indexed about 500,000 such devices, which would not be difficult for an attacker to gain full access to them.

    More detailed information was presented in a report during the Positive Hack Days III forum:


    Also popular now: