Sunday, October 24, 2021

Huge botnet leveraged thousands of Internet-connected CCTV cameras for DDoS attack

Some infosec pros dismiss worries about the Internet of Things if many devices don’t store or transmit personal information. But there are other ways attackers can leverage devices connected to the Internet — as sources for distributed denial of service (DDoS) attacks.

Security vendor Securi Inc. described the latest use on Monday, one that used thousands of Web-connected CCTV cameras with over 25,000 unique IP addresses in 105 countries. Described by the company as a variation of the HTTP flood and cache bypass attack, 24 per cent of the IP addresses were in Taiwan and 12 per cent in the U.S.

Combined the botnet threw out 50,000 HTTP requests per second over several days. Securi came across the attack from one of the victims, a small jewelry store.

The majority of the cameras (48 per cent) had the default H.264 DVR logos, says Securi, but the others had modified branding to match the company that built or sold it. All these devices are based on BusyBox, a Linux OS for embedded devices.

Securi speculates the cameras were attacked using a remote code execution vulnerability first discovered in late 2104 that affected 70 camera makers. In the fall of that year Incapsula reported a botnet of some 900 CCTV cameras from around the world had been discovered targeting what was described as a “rarely-used asset of a large cloud service, catering to millions of users worldwide.” Again, all devices were running BusyBox.

Securi researchers said attackers used random search referrers from sites including Google, USA Today and Engadget and user-agent combinations in an effort to emulate normal browser behavior.

Sucuri CTO and founder Daniel Cid urges online camera users and vendors to make sure their devices are fully patched and isolated from the Internet. “Actually,” he adds, “not just your online camera, but any device that has Internet access (from DNS resolvers, to NTP servers, and so on).”

In its blog Incapsula reminded infosec pros on the importance of changing default passwords of Internet-connected devices.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication. Click this link to send me a note →

Jim Love, Chief Content Officer, IT World Canada
Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Related Tech News