A recent security report indicates that an experienced hacker collective is actively attacking CCTV Camera Devices. The ongoing attack is specifically targeting unpatched products made by the LILIN company.
LILIN CCTV Camera Devices Attacked Via Multiple Exploits
IoT Devices are among the most targeted as they are often exposed both to the public Internet and the internal network. A recent security report indicates that experienced hackers have begun to target devices made by the LILIN company. Several vulnerabilities are used in order to gain unauthorized access to the networks.
The attack is done by launching a vulnerability that is comprised of 3 parts: a command injection bug, a separate arbitrary file reading vulnerability and a second command injection. It is very possible that the protocol used to infect the devices include NTP and FTP. One of the most likely methods is the use of password guessing or brute force attacks.
The end goal of the attacks is to deploy malware and access the internal network. One of the threats which are deployed is the Chalubo client which is a well-known malicious program that is often directed against such endpoints. It is run by a small client which executes according to the deployed configuration file. The Chalubo malware will lead to dangerous system modifications and will also remove the associated log files.
Another one of the possible dropped threats is the Fbot botnet, widely known for its unusual behavior. It is well-known among security researchers as it does not use the traditional network connections in order to communicate with the command and control server. Instead it relies on a blockchain-based DNS technique. It has been used in the past to intrude onto Huawei routers and Realtek-SDK based devices — ranging from Android smartphones and tablets to Smart TVs.
A less popular malware which can be dropped by the attack campaign is the MooBot Trojan. This is a classic backdoor which is designed to let the hackers intrude onto the target computers and devices.
At the moment the IP addresses that host LILIN infected devices are identified as originating from the following countries: Ukraine, The Netherlands, The USA, Spain, Japan and Belize. The vendor has released patches following the public disclosure, we advise that all owners of LILIN devices apply the latest firmware updates.