Security Flaws Allow Attackers to Hijack 400 Axis Camera Models

Axis Communications, one of the largest manufacturers of video surveillance equipment in the world, has fixed critical security flaws that affect some 390 of its network camera models.

The vulnerabilities were found by researchers from IoT security firm VDOO as part of a research project called Vizavis that focuses on safety and security products. The researchers found seven vulnerabilities ranging from authorization bypass to unrestricted dbus access, shell command injection and information leakage.

“Chaining three of the reported vulnerabilities together allows an unauthenticated remote attacker that has access to the camera login page through the network (without any previous access to the camera or credentials to the camera) to fully control the affected camera,” the VDOO researchers said in a blog post.

A successful exploit allows hackers to access the camera’s video stream, freeze the video stream, move the camera lens, turn motion detection on and off, add the camera to a botnet, alter the camera’s software and render the device useless.

As with most compromised IoT devices, infected cameras can be used as a pivot point for lateral movement inside local networks or can be used to launch DDoS attacks, mine cryptocurrency, proxy malicious traffic and more.

Because attackers don’t require any credentials to compromise the cameras, those that are exposed directly to the internet, for example through port forwarding rules, are at higher risk of being compromised, Axis said in an advisory.

The company recommends updating the camera firmware to the latest version and isolating the device from the internet, especially since the company provides a free application called AXIS Companion for Windows, Android and iOS that allows accessing the camera video feed securely.

“Optionally apply IP filtering (which uses IP tables internally) in the devices to whitelist authorized clients,” the company said. “This mitigates risk for newly discovered vulnerabilities as well as the risk for compromised passwords.”

Axis also published a document listing all camera models affected by these vulnerabilities along with the corresponding firmware version that contains patches for them. It’s really important for users to update the firmware because VDOO’s blog post contains sufficient technical details and proof-of-concept code for attackers to create exploits.

Malware programs that target embedded devices such as IP cameras, NAS boxes and routers has grown both in number and sophistication over the past few years, IoT botnets being responsible for many of the DDoS attacks seen on the internet.

6-Year-Old Adware Used Signed Rootkit to Fly Under the Radar

A massive adware operation capable of intercepting HTTPS communications in browsers and injecting ads into websites has flown under the radar by using a digitally signed rootkit that blocks anti-malware products from running correctly.

The adware is dubbed Zacinlo and has multiple components, some of them dating back to at least 2012, according to a paper by researchers from Bitdefender. However, the campaign was most active toward the end of 2017.

The vast majority of the detections were in the United States, but samples were also found in France, Germany, Brazil, China, India, Indonesia and the Philippines. Surprisingly, almost 90 percent of detections were on computers running Windows 10, highlighting this malware’s ability to bypass the latest anti-rootkit defenses built into Windows.

The rootkit driver was signed with digital certificates that were expired at the time of discovery but had been issued to entities with names suggesting they were based in China. Once installed on a system, the rootkit searches for anti-malware modules from security products by Bitdefender, Qihoo, Kingsoft, Malwarebytes, Symantec, Panda, HitmaPro, Avast, Avg, Microsoft, Kaspersky, Emsisoft and Zemana, and blocks them from starting.

“The user-mode component that will later download and start the payload is started by the driver so that it leaves very few traces behind: a copy is made in another location and a process is created from the copied file,” the Bitdefender researchers said in their paper. “After the process is started, the copied file is overwritten with zeros. As a result, the user-mode component has no apparent persistence on the system and even its file leaves no forensic evidence.”

The adware program gets installed along with legitimate software and has a lot of functionality implemented by different components. In addition to executing man-in-the-browser attacks, it can disable other adware running on the system, it can receive instructions to uninstall and delete services, it collects information about the system and reports it back to the command-and-control server, it takes screenshots of the desktop compromising the user’s privacy, it can install additional software, it receives automatic updates, it redirects pages in browsers, it injects ads into web pages, it opens pages in the background and interacts with them and more.

The adware is specifically designed for advertising fraud, earning money by tricking advertising companies into thinking that real users viewed and clicked on their ads.

Featured eBook
Automating Open Source Security: A SANS Product Review of WhiteSource

Automating Open Source Security: A SANS Product Review of WhiteSource

Many sources indicate that 60–80 percent of code in applications today is based on open source components. This open source code often includes vulnerabilities that, if not managed properly, can expose organizations to potential breaches. This paper takes a close look at how WhiteSource can automate the process of open source component vulnerability detection, remediation, ... Read More
WhiteSource

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at lucian@constantinsecurity.com or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 269 posts and counting.See all posts by lucian-constantin