A Massive Botnet of CCTV Cameras Involved In Ferocious DDoS Attacks

An anonymous reader writes: "A botnet of over 25,000 bots is at the heart of recent DDoS attacks that are ferociously attacking businesses across the world with massive Layer 7 DDoS attacks that are overwhelming Web servers, occupying their resources and eventually crashing websites," reports Softpedia. This botnet's particularity is the fact that attacks never fluctuated and the attackers managed to keep a steady rhythm. This is not a classic botnet of infected computers that go on and off, but of compromised CCTV systems that are always on and available for attacks. The brands of CCTV DVRs involved in these attacks are the same highlighted in a report by a security researcher this winter, who discovered a backdoor in the firmware of 70 different CCTV DVR vendors. These companies had bought unbranded DVRs from Chinese firm TVT. When informed of the firmware issues, TVT ignored the researcher and the issues were never fixed, leading to crooks creating this huge botnet.

Owned

by the Chinease. What's new?

Crowdfund

[matbury]

Can we crowd fund a DDoS attack on TVT? Any takers?

Re:Crowdfund

[SeattleLawGuy]

Can we crowd fund a DDoS attack on TVT? Any takers?

No. This is what diplomacy is for.

Re:Crowdfund

[Archangel+Michael]

Until some part of the Federal Government takes responsibility for stopping this crap it will continue

Why is it the responsibility of the government and not you?

Here is a thought. You (not you personally, but you the collective) have gone the route of buying the cheapest CCTV systems in the world, should be held civilly liable for their use and maintenence. This means, that if I can trace any part of a DDOS to your CCTV system, I can sue you and your corporation for damages. And so can everyone else affected by your hacked and damaged system.

Small claims courts are great for death by a million paper cuts. It would take about 5 or 6 well known cases of courts siding with those that have been damaged by rouge systems owned by corporations before EVER LAST ONE OF THEM is pulled from service, and replaced by new systems that are less vulnerable. We don't need new laws, we need the courts to start assigning damages to victims in such a way that it doesn't pay to leave crappy CCTV systems infected with botware up.

The corporations can then figure out how to recoup their losses from the Chinese.

Re:Crowdfund

[cusco]

Go look at the NVR or DVR in your employer's security center (if that's allowed). Can you tell who made it? Probably not. HikVision, Indigo, etc. don't make their own hardware, they contract it out. Possibly if you open the case you might see a label, but you might not. For a decade SuperMicro made all the DVRs for Lenel, and the only way you could tell is if you got into the password-protected BIOS. This issue was first discovered on an NVR from an Israeli company, would you automatically assume that a Chinese company actually built it?

Why do Libertarian solutions always require thundering herds of lawyers to implement?

IoCT

The Internet of Compromised Things strikes again. Vulnerability as a Service isn't just for luddites and apps anymore.

I'm curious

[Okian+Warrior]

So TVT, despite being chinks, are actually a bunch of big lipped stinking nasty chocolatey worthless nigger jigaboo porch monkeys!!

I'm curious.

Does anyone know why these posts keep appearing? It seems like there's one at the top of every discussion.

I can't imagine a real purpose for this.

Does anyone know what the goal or intent is? Can anyone explain how this benefits the poster in any way?

Re:I'm curious

No-one is a real person 'til you are 18, or even 21. Even then you may only be able to find 'junior' positions and pay.

There's fewer frontiers (and they get further away each year). Everything is owned. A pittance is set aside for shared use, in limited and proscribed ways.

If you are talented, focussed, hard working and lucky you may be able to make a mark, exert some influence on the world around you. For every one that makes it, there are dozens, hundreds that don't.

The social contracts and covenants are proving a lie except for a few. Small wonder, then, that posters like the GP rattle the bars, make a noise, troll for a reaction. How else do they know that they are alive?

There's no art to this. No bait on the hook of this troll. It's tired, unimaginative and so ordinary that even the transgressive elements barely elicit a reaction. It's dog-piss on a post - a pitiable attempt to mark territory and worth only pity or contempt - not for the content, but for the hand that wrote it.

Re:I'm curious

[JustAnotherOldGuy]

Does anyone know why these posts keep appearing?

Because some people have no life and just love to spew their nonsensical hatred.

Re:I'm curious

[eulernet]

I believed that the anonymous poster was very proud of his pangram and wrote a bot to spam Slashdot, but I just noticed that the X and Z letters were not used.

Re:I'm curious

[Archangel+Michael]

That is damn near poetic. Too bad you wrote it as and AC.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Once in a while is OK

[Okian+Warrior]

If you don't respond to it, then people browsing at >=1 will never know it exists. That is the good thing about this mod system. Plus, I don't think porch monkey is a racist term. My grandmother used to call me and my sister porch monkeys all the time.

Yeah - In that definition I'm probably a porch monkey as well. Similar to "couch potato".

I think a lot of people are responding "don't respond" as a reflex action from political correctness. That's fine, and we shouldn't respond, but...

It also prevents us from talking about it. I've noticed these in a *lot* of posts, they always seem to get first post, and they're blatantly garbage.

It doesn't hurt to start a discussion once-in-a-while, and I'm not promoting his view by quoting and asking "WTF?".

We have a lot of smart people on this forum, many of which know a fair bit about psychology (armchair or otherwise).

I'd be very interested to hear an [serious] analysis of the person that posts these things.

Re:Once in a while is OK

[TigerPlish]

Would you rather have APK? Or the appy app app LUDDITE guy?

Don't feed the trolls, don't even try to understand them.

For any The Amazing World of Gumball viewers, these appy app apk racial epithet types probably look and feel *just* like TAWOG's representation of the Internet: An old-school 1990's tan PC with CRT monitor living in a basement, surrounded by decades-old pizza debris, constantly hounded by his Mom.

If I were that, I'da tripped my own circuit breaker years ago.

Re:Once in a while is OK

[JustAnotherOldGuy]

Would you rather have APK? Or the appy app app LUDDITE guy?

No, and yes, in that order.

The APPY APP guy is just a clown, APK is a festering boil on the internet's anus.

Re:Once in a while is OK

[mink]

So I stopped coming to /. for like 6 years.
Is this what replaced goatse links and gnaa?

Re:Once in a while is OK

[JustAnotherOldGuy]

So I stopped coming to /. for like 6 years.
Is this what replaced goatse links and gnaa?

Pretty much, yeah.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Network Design Flaw

[rtb61]

A piece of hardware still provides that connection, from network to network. So why are those pieces of hardware designed to allow naughty unnecessary communications. There is no reason why that hardware should be capable of executing a DDOS attack, a simple timing issue, that should be hardware locked.

Re: Network Design Flaw

[JustAnotherOldGuy]

So why are those pieces of hardware designed to allow naughty unnecessary communications.

The problem is not that they're designed to allow naughty unnecessary communication, the problem is that they're not designed not to.

It's like designing a door with a knob but no lock- there was no thought given to keeping the bad guys out.

This is going to be a bigger and bigger problem with the advent of IoT crap (the Internet Of Trash).

Re: Network Design Flaw

The problem is that all these IoT things are being built conveniently using stock Linux kernels on top of cheap CPUs. This is general compute hardware in the most general sense - whole PCs serving really simple purposes. The reasons for this is simple; the skills required to assemble a kernel to perform a particular task are reasonably well known. There's lots of programmers around that can duct-tape together a system with these things.

These systems could be made much more secure if they could execute their operations from read-only memory. The problem is most places like to leave the door open for firmware updates in case they screwed up. The internet promised a lot of things with regards to the ability to upgrade and fix software after release but all it really did was drive down the risk of writing crap software. Companies respond to reduced risk by de-prioritizing said work. Ergo the net result of the internet has been to drive down software quality as a whole. And here we are, with shitty software aplenty.

The only people interested in patching a system that's already been sold are the malware authors - the vendor has long since shifted their product focus elsewhere. In time all devices will be compromised and that will be the effective running state of the whole Internet.

Re: Network Design Flaw

[Bert64]

Booting them from ROM would actually make things worse, since you'd not be able to upgrade them the vulnerable version would remain there until the device was trashed. Those launching attacks could just exploit vulnerabilities and load their code into RAM, the backdoor would be lost after a reboot but these devices rarely reboot anyway.

And the problem with these devices is pretty much always due to their own crappy code and not the existing linux code the devices are running.

The same problem occurs with small wireless routers, the stock firmware is crap but there are several open source replacement firmwares which are much better. We need an open source distribution for CCTV cameras that can replace the terrible stock firmware.

Re: Network Design Flaw

[Desler]

Yes, you can. You can flash ROM. It's done all the time.

Re: Network Design Flaw

[Tharkkun]

So why are those pieces of hardware designed to allow naughty unnecessary communications.

The problem is not that they're designed to allow naughty unnecessary communication, the problem is that they're not designed not to.

It's like designing a door with a knob but no lock- there was no thought given to keeping the bad guys out.

This is going to be a bigger and bigger problem with the advent of IoT crap (the Internet Of Trash).

So they have no firewall on their network to prevent un-authorized access from outside the building? I think that's the point he was trying to make. No one should be able to connect to and manipulate this device in the first place.

Re: Network Design Flaw

[JustAnotherOldGuy]

So they have no firewall on their network to prevent un-authorized access from outside the building? I think that's the point he was trying to make.

Of course not, this is Joe and Jane Sixpack we're talking about here. They buy it, they plug it in. The End. They wouldn't know a firewall if they tripped over one.

-

No one should be able to connect to and manipulate this device in the first place.

Oh I totally agree, and that was the point I was trying to make. These things are designed without even a passing thought to security, and they get hacked because 99.999999999% of consumers don't have any firewall in place, nor do they even know that they need one. (Or that such a thing even exists.)

In other words, they aren't designed to not be manipulated or hacked, therefore they will be.

Re: Network Design Flaw

[cusco]

this is Joe and Jane Sixpack we're talking about here. They buy it, they plug it in. The End.

Oh, no, it's considerably worse than that. Most security hardware installers will happily drop the customer's NVR on the Internet outside of the company firewall,and then proudly show the customer that they can now access the cameras on their frelling smartphone. I have been railing for years on LinkedIn and other venues the necessity of protecting security equipment from the network, to no avail. Installing and configuring a VPN isn't rocket surgery, but Joe Cable-Puller doesn't know or care what one even is.

BTW, I'm not talking about just small shops either, major security vendors to Fortune 500 companies are doing this at their smaller customers.

Time for a factory recall???

[davidwr]

Maybe it's time for the government to order a factory recall.

Re:Time for a factory recall???

[cusco]

It's China, a nice deposit in a regulator's bank account and any such order evaporates.

It's likely that TVT has no clue where all the devices even went, they sell to wholesalers who sell to wholesalers who sell to rebranders who sell to wholesalers who sell to retailers. Good luck tracking that down.

Re:It's time for software liability laws

[Hylandr]

I wonder how much money TFT is making by selling access to the Botnet they got other people to purchase and deploy for them.

TFT selling Botnet time.

[Hylandr]

I wonder how much money TFT is making by selling access to the Botnet they got other people to purchase and deploy for them.

Pretty ingenious really.

List of affected brands

Since it's buried 2-3 links in.

(Extra characters to get past slashdot's minimum characters per line filter. Who the hell thought it would be a good idea to make a filter which basically prohibits lists, and also prevents you from putting the padding out of the way at the end of the post? Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum. Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.)

Ademco
ATS Alarmes technolgy and ststems
Area1Protection
Avio
Black Hawk Security
Capture
China security systems
Cocktail Service
Cpsecured
CP PLUS
Digital Eye'z no website
Diote Service & Consulting
DVR Kapta
ELVOX
ET Vision
Extra Eye 4 U
eyemotion
EDS
Fujitron
Full HD 1080p
Gazer
Goldeye
Goldmaster
Grizzly
HD IViewer
Hi-View
Ipcom
IPOX
IR
ISC Illinois Security Cameras, Inc.
JFL Alarmes
Lince
LOT
Lux
Lynx Security
Magtec
Meriva Security
Multistar
Navaio
NoVus
Optivision
PARA V

Why are these cameras even connected to the net?

[timrod]

As someone who has some experience with CCTV DVRs, all of the DVRs I've worked with are the same: fanless computers with cases so thick they're practically mil-spec that get set up once and then immediately locked up in a room (to which only a handful of people on-site are allowed to have a key). The DVRs themselves are on an intranet with the cameras that has no outside internet access. The process works because no one can hack the network without physically being present in the building (at which point they'd be seen by security and likely arrested once the police are called) or launching a military-style assault on the room with the DVRs inside (at which point the company has far bigger problems than CCTV was designed to solve).

So, why are these even connected to the internet at all, especially if they're commercial DVRs?

Re:Why are these cameras even connected to the net

[Bert64]

All kinds of reasons...

Some people want to monitor the premises from a remote site...
Some companies want to centralise their cctv monitoring to save costs.
There is already an ethernet network present, cheaper than running separate cabling for ip cameras.

Re:Why are these cameras even connected to the net

[Desler]

So the cameras can be remotely monitored.

Insert free slashvertisment for Sucuri

[khz6955]

"US-based security vendor Sucuri discovered this botnet, very active in the last few weeks, and they say it's mainly composed of compromised CCTV systems from around the world.

Their first meeting with the botnet came when a jewelry shop that was facing a prolonged DDoS attack opted to move their website behind Sucuri's main product, its WAF (Web Application Firewall)."

Re:It's time for software liability laws

[Archangel+Michael]

The liability should be on those who purchase crappy IoT devices because they are "cheap". If they are compromised, they (the owners) should be sued into oblivion by those who are affected, and make the device owners go back to the manufacturer to recoup their losses. Right now, our legal system, the victim (the public DDOS recipient) has almost no way to recoup their losses from crappy products that have been hacked. These CCTV devices are on corporate networks, and as such they (the corporate networks) should be held liable for the damages being done from their IP domain.

Re:Why are these cameras even connected to the net

[Archangel+Michael]

All of those things can be provided, by proper IT.

Remote Monitoring - Virtual Desktop Infrastructure. Only systems inside the firewall can use the CCTV system, and VDI provides a way into the inside of the firewall. The CCTV system is on a non-routable VLAN that traffic cannot leave the premises. No hacking ,no DDOS no nothing.

Centralized Monitoring - VLANs and VPNs. By setting up proper VPNs and VLANs, you can properly isolate systems from the outside, while providing the same level of service (perhaps even better service) for properly maintaining a single central monitoring service. The issue here is that in order to do this, you have to have an IT dept that can articulate why it needs to isolate networks from each other properly.

Ethernet Present - Yup, and probably the swiching/routing needed to properly VLAN and VPN the whole thing so that you can use existing infrastructure to isolate traffic from each other on the same equipment. Cheap ass networking gear excepted.

Good IT is expensive, bad IT is costly.

CCTV DoS can be fun

[Megane]

Many years ago I worked at a major networking hardware manufacturer (one who should know their stuff, but somehow let this happen). This was maybe '04 or '05 or so. Seems they had installed some kind of security camera system that ran on a Windows platform. Like one per camera or maybe one per four cameras or something. And because it's all wrapped up as a product, you can't just stick McAfee on it. Yes, I know, what the ever loving fuck. They were deployed all over the company. Hooked up via gigabit Ethernet to the internal backbone. Along comes the latest Windows worm, and the cameras not only catch it, they blow out the entire company's network spewing packets all over the place as the worm tries to spread. It was bad enough to cause significant packet loss to the internet.

I also remember that from time to time some SMB worm thing would hit a printer when trying to spread, and those brillant HP printers would happily spew a new page ever time they saw an 0x0C. We actually had to replace one printer in my area because this broke it. (Extra large paper tray, of course.)

Re:Why are these cameras even connected to the net

[luis_a_espinal]

All of those things can be provided, by proper IT.

Remote Monitoring - Virtual Desktop Infrastructure. Only systems inside the firewall can use the CCTV system, and VDI provides a way into the inside of the firewall. The CCTV system is on a non-routable VLAN that traffic cannot leave the premises. No hacking ,no DDOS no nothing.

Centralized Monitoring - VLANs and VPNs. By setting up proper VPNs and VLANs, you can properly isolate systems from the outside, while providing the same level of service (perhaps even better service) for properly maintaining a single central monitoring service. The issue here is that in order to do this, you have to have an IT dept that can articulate why it needs to isolate networks from each other properly.

Ethernet Present - Yup, and probably the swiching/routing needed to properly VLAN and VPN the whole thing so that you can use existing infrastructure to isolate traffic from each other on the same equipment. Cheap ass networking gear excepted.

Good IT is expensive, bad IT is costly.

Well, I'm going to lose the mod points I provided, but what the heck.

The type of customer these products are targeted for - small businesses or homes - they do not have proper IT. Now, it is not a fault of these type of customers (to a degree). It is more the manufacturer's faults for not designing products that are *obviously* aimed that does not have dedicated/proper IT.

It should not be impossible to provide a COTS, drop-in CCTV solution that only connects from the cameras to the DVR and to pair the DVR to whatever device the customer wants to use for monitoring, with all other type of network access (local and public) restricted (expect maybe a way to "dial home" for updates.

Such a thing would never be 100% impervious to attacks, but it would be far safer than the current alternatives which are the evil cousins of open smtp relays.

Re:Why are these cameras even connected to the net

[Tharkkun]

All kinds of reasons...

Some people want to monitor the premises from a remote site... Some companies want to centralise their cctv monitoring to save costs. There is already an ethernet network present, cheaper than running separate cabling for ip cameras.

That still doesn't explain why it's insecure. VPN's are cheap. Install a router/firewall where you can VPN in and then manage from there.

Mind-numbingly Stupid That It's Even Possible

[EndlessNameless]

Why do CCTVs have outbound access to the internet at all?

If a CCTV feed really needs to leave the premises, that's what VPN is for.

Between the security and privacy issues, someone should be losing their job.

Re:Why are these cameras even connected to the net

[cusco]

I monitor cameras at sites in 21 countries on every continent but Africa and Antarctica (and we're going to drop a site in South Africa next year). **NOT ONE** is directly on the Internet. There is absolutely no reason for any of these NVRs to be on the Internet, except laziness by the installer and salescritters. I have been barking up this tree for years on LinkedIn, that a VPN is cheap and easy to install, and the vast majority of even professional security system installers who work with Fortune 500 customers will pay no attention at all. Their smaller customers want to click the link and have a camera come up, they don't want to click the VPN, wait for the secure connection to be established, and then open their camera.

With the coming Internet Of Things flood this is only going to get worse.