Command injection vulnerability in Hikvision cameras leaves critical infrastructure sector vulnerable to hackers

New research from Cyfirma has detected multiple instances of hackers looking to collaborate on exploiting Hikvision cameras using the command injection vulnerability globally. As per the sample analyzed, thousands of vulnerable Hikvision cameras are still in use, which cybercriminals could exploit across the critical infrastructure sector.

“Specifically in the Russian forums, we have observed leaked credentials of Hikvision camera products available for sale,” Cyfirma said in its research. “These can be leveraged by hackers to gain access to the devices and exploit further the path of attack to target an organization’s environment.”

Cyfirma researchers have observed multiple open ports that seem to be in use for Hikvision cameras across a sample size of about 285,000 as of last month. In addition, the firm said that over 100 nations were impacted across more than 2300 organizations. Additionally, over 450 non-standard ports were affected, which could act as the initial access broker for cybercriminals.

Hikvision is a state-owned Chinese manufacturer and supplier of video surveillance equipment for civilian and military purposes, headquartered in Hangzhou, Zhejiang. The company delivers industrial IoT sensor technologies and is active across the critical infrastructure sector.

The researchers disclosed that every hacker group could potentially exploit vulnerabilities in these devices, although any specific cybercriminal group using these cannot be isolated at this stage. “However, we have reasons to believe that – Chinese threat groups such as MISSION2025/APT41, APT10 and its affiliates, as well as unknown Russian threat actor groups could potentially exploit vulnerabilities in these devices to fulfil their motives (which may include specific geo-political considerations),” they added.

In drawing a parallel with indicators, the Cyfirma research team has been observing a hacker group launching a cyberespionage campaign called ‘think pocket’ exploiting a popular connectivity product for a year. The campaign targeted industries including telecommunication and infrastructure, energy production and supply, defense, government, research, automobile, manufacturing, ICT, and trading. The geographies targeted by the group included the U.S., Japan, Philippines, Taiwan, the U.K., Thailand, Australia, and India. 

In another instance, unknown Russian hacker groups were observed launching a cyber-attack campaign exploiting 1512 routers. Industries targeted by the campaign include chemical and large manufacturing, fertilizer and tire, electronic product equipment, healthcare, shipping and transportation, polymer and fiber. The affected geographies, among other countries, included France, Germany, Ukraine, Japan, Indonesia, the U.K., India, the U.S., Latvia, and Taiwan.

Cyfirma researchers said that from an external threat landscape management (ETLM) analogy, cybercriminals from countries that may not have a cordial relationship with other nations could use the vulnerable Hikvision camera products to launch a geopolitically motivated cyber warfare. “Cyber criminals and state-sponsored hacker groups could easily collaborate using this avenue as an opportunity for mutual gains and to further their interests.” 

Cyfirma said that given the current geopolitical-driven cyberwarfare brewing worldwide, the company suspects an uptick in cyberattacks from various nation-state threat actors on various sectors, including critical infrastructure, state entities, and defense organizations. Open vulnerabilities and ports in such devices will only compound the impact on targeted organizations and their countries’ economic and state prowess. Therefore, it is paramount to patch the vulnerable software of the Hikvision camera products to the latest version. Additionally, organizations need to adopt an ETLM-powered risk-based approach to cybersecurity decision-making to minimize possible exposures and threats coming their way.

Commenting on the Cyfirma disclosure, Paul Bischoff, privacy advocate with Comparitech, said in an emailed statement that IoT devices like cameras aren’t always as easy or straightforward to secure. “Updates are not automatic; users need to manually download and install them, and many users might never get the message. Furthermore, IoT devices might not give users any indication that they’re unsecured or out of date.”

“Hackers can easily find devices running vulnerable firmware or software using an IoT search engine like Shodan,” Bischoff said. “From there, they can hijack the devices to enlist them as part of a botnet, mine cryptocurrency, or launch further attacks through the camera’s network. In this case, the problem is exacerbated by the fact that Hikvision cameras come with one of a few predetermined passwords out of the box, and many users don’t change these default passwords,” he adds.

“Exploits like those being used to take over Hikvision cameras rely on users not setting strong passwords or using the default passwords out of the box,” Chris Hauk, consumer privacy champion at Pixel Privacy, said in an emailed statement. “Users should always update their cameras and other IoT devices with the latest firmware, set a secure password, and in corporate cases, keep their IoT devices isolated from their main network.”

Last September, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) announced the presence of another critical command injection vulnerability in the web server of some Hikvision cameras. Due to insufficient input validation, an attacker can potentially exploit the vulnerability to launch a command injection attack by sending a specially crafted message with malicious commands.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.