A researcher has found multiple vulnerabilities in Wireless IP Camera (P2P) WIFICAM cameras and also flaws in custom HTTP server. More specifically, more than 100,000 Internet-connected cameras are prone to attacks by a new IoT malware dubbed Persirai. The malware is spreading via the vulnerabilities in these cameras.
Persirai Malware Observed by Researchers
According to security researcher Pierre Kim, the flaws could allow an attacker to perform remote code execution to hijack the cameras. The researcher reported the vulnerabilities to the vendor in March.
Exploited Vulnerabilities in Persirai Attacks
Unfortunately, the researcher says that the wireless IP Camera (P2) WIFICAM is full of flaws, as well as plenty of other Chinese cameras. Even though the cameras are sold under different names, brands and functions, they share the same vulnerabilities. Basically, the OEM vendor used a custom version of GoAhead and included the vulnerable code inside.
Because of code reusing, the vulnerabilities are present in a huge list of cameras (especially the InfoLeak and the RCE),which allow to execute root commands against 1250+ camera models with a pre-auth vulnerability.
Here is the list of flaws:
CVE-2017-8224 – Backdoor account
CVE-2017-8222 – RSA key and certificates
CVE-2017-8225 – Pre-Auth Info Leak (credentials) within the custom http server
Authenticated RCE as root
Pre-Auth RCE as root
CVE-2017-8223 – Misc – Streaming without authentication
CVE-2017-8221 – Misc – “Cloud” (Aka Botnet)
It appears that at least 1,250 camera models produced by the Chinese are prone to attacks based on the vulnerabilities above.
What is worse is that TrendMicro has reported a new malware family that is being spread via the bugs in these products. The company says that approximately 120,000 cameras are open to Persirai attacks via Shodan, the search engine for IoT devices.
Similarly to other IoT malware, Persirai is infecting the cameras to form a botnet. DDoS attacks are likely to follow.
In addition, another security company, Qihoo 360, has also observed Persirai attacks and estimates that 43,621 cameras in China are infected with it.
Another IoT worm was also recently discovered by researchers. The Hajime worm has stealthier capabilities than Mirai, and is more advanced than its predecessor. After the initial infection the threat would take several steps to hide its running processes as well as its files on the file system.
Furthermore, the operator of the worm can open a shell script to any infected device in the network at any time. Researchers say that its code is modular meaning that new capabilities can be added in the go.
At the time of the discovery, Hajime didn’t have DDoS capabilities but this could quickly change. Researchers discovering new IoT malware at this rate only means one thing – the Iot attack landscape is about to get even worse.