April 1, 2023
As Smart Cities Expand, the Benefits of Modern Surveillance Come into Focus

Attackers are targeting an unpatched Hikvision video systems to drop a DDoS botnet. Though a patch was released in September, any still-vulnerable Hikvision IP Network Video Recorder (NVR) products are being actively targeted by the Mirai-based botnet known as Moobot.


Moobot botnet is leveraging a known remote code execution (RCE) vulnerability in Hikvision products CVE-2021-36260, which carries out distributed denial of service (DDoS) attacks. The attack surface could be significant: China-based Hikvision touted itself as the world’s leading video-surveillance products supplier

Once the attacker finds a vulnerable system, a downloader drops the malware, which FortiGuard identified as Moobot, a variant of Mirai with traces of Satori code. Sartori is another Mirai-based botnet and one of dozens that have been spun off the original source code.

The obvious feature is, it contains data string w5q6he3dbrsgmclkiu4to18npavj702f, which is used in the “rand_alphastr” function, the researchers found in analysing the binary. “It is used to create random alphanumeric strings with different purposes, such as for a setup process name or to generate data for attacking.”

Once it makes a connection with the command-and-control server (C2), it launches the DDoS attack

The analysts were able to track the code to a DDoS service provider’s Telegram channel called tianrian.

From the chatting channel we can see that the service is still updating, Users should always look out for DDoS attacks and apply patches to vulnerable devices. Any organizations running unpatched Hikvision systems are urged to get the firmware update provided by the company.


Indicators of Compromise

  • 38414bb5850a7076f4b33bf81bac9db0376a4df188355fac39d80193d7c7f5571
  • dce6f3ba4a8d355df21a17584c514697ee0c37b51ab5657bc5b3a297b65955f
  • b7f8f9908b9587a14ff34b3eaef02289fb1abdb0
  • 1b3d7e64c6f486aa985e8db7ac5758ee 
  • CVE-2021-36260    

Leave a Reply

%d bloggers like this: