NVR Receiving Cyber Attack?

[Parasense]

Hello Friends

We have 2 units of Dahua DH-NVR616R-64-4K. It was monitored externally via static IP. I changed the default ports very recently and there was no problem for a long time. but when I open it to external monitoring for a while, the device goes offline via smartpss in the local environment. when I close the device to external monitoring, this problem does not occur. I evaluate that the device went offline after a cyber attack attempt.

1.How can I know if the device has been attacked? (I scanned with netstat in NVR unix environment but I could not find a foreign IP).
2.How can I prevent it other than port switching? (Users other than the admin account are completely passive. If I disable some services in unix environment, will it be a problem?)

Firmware version of NVRs
NVR: Dahua DH-NVR616R-64
System Version: 3.210.0003.0, Build Date: 2016-07-14

Regards Thank you

 

[elvisimprsntr]

Welcome!

Lesson #1: Exposing devices and services directly to the public internet is an invitation to be hacked/compromised. Full stop.

If you suspect your NVR was compromised:

1. Disable UPnP in both your router/firewall and NVR
2. Disable any manual port forwards in your router/firewall
3. Factory reset and install latest firmware on NVR
4. Host your own VPN service on or behind your router/firewall. (OpenVPN, WireGuard, Tailscale, IPSec, etc.)

 

[Parasense]

Thanks for starting with great lesson#1


1.UPnP is Disable on the router and NVR.
2.If I turn off port forwarding, how can I perform remote monitoring?
3.I doubt the firmware versions on the Dahua NVR, actually maybe I can do a factory reset.
(Or is it ok if I disable the users running in the background by establishing a connection through the terminal?)
4.Unfortunately we have a simple modem in our structure. we have no firewall device. Maybe I can use the IPSec feature of the modem (there must be a problem on the Dahua side, unix system is trying to be attack and it disables itself)

The way to make Dahua NVR externally traceable should not be so difficult

 

[wittaj]

You do remote monitoring with how he mentioned in step #4

How to Secure Your Network (Don't Get Hacked!)

Many camera networks are unsecure, even those installed by professionals. This guide gives basic instruction in how to secure a camera network from the most common types of attacks. Perhaps the most important rule of securing a computer network is to not forward ports to unsecure services...

ipcamtalk.com

VPN Primer for Noobs

The internet is a force of nature; no video surveillance system made was designed to be exposed to those forces.. NEVER FORWARD PORTS to your NVR or Cameras, doing such things not only exposes you to severe security problems, but everyone else on the internet too.. Hackers dont want your video...

ipcamtalk.com

 

[elvisimprsntr]

@Parasense

Latest firmware: DH_NVR6XX-4KS2_MultiLang_V4.002.0000000.2.R.230220

https://www.dahuasecurity.com/products/All-Products/Network-Recorders/Ultra-Series/NVR6-Series/16HDD/NVR616R-64/128-4KS2

I personally use Tailscale · Best VPN Service for Secure Networks MESH VPN

Currently >1.2M Dahua devices publicly exposed to the internet. Don't be a victim.

Shodan Search

1,239,925 results found for search query: Dahua

www.shodan.io

 

[Parasense]

@wittaj; Thank you, I will look into it in detail.

@elvisimprsntr;

You are absolutely right, we are victims. but we have a hikvision device on the same ip, I think it cannot be attacked,
so there is no down. i think unix and an old firmware are victimizing us. i will look at the situation after an upgrade.

Thanks.

 

[wittaj]

Unix and old firmware isn't the issue - these devices are known to have vulnerabilities and backdoor exploits and cameras with brand new current firmware still get hacked. Getting them off the internet is the only way.

Hikvision can be attacked if given internet access. ANY camera can be hacked - even high end AXIS - they are known for not being secure. Kinda ironic isn't it...

Two posts from just this week:

Advise needed, my Hikvision was hacked/pwned

Long story short, I realized yesterday that one of my Hikvision camera was beeing hacked. Saw that there was a change in camera name (to 'PWNED') and all texts coloured in red. I was not able to connect anymore via Web browser with admin credentials. Totally my fault in that sense, the admin...

ipcamtalk.com

Has my Hikvision ip camera been hacked?

Hello all! Posting a screencap of what appears in my Hikvision camera in BlueIris. Static ip address in my home network is 192.168.0.206 using Port 8095. This Hikvision camera is part of my BlueIris outdoor perimeter DIY 24/7 surveillance system which I am running on a Lenovo TinyPC with...

ipcamtalk.com

 

[alastairstevenson]

we have a hikvision device on the same ip, I think it cannot be attacked,
so there is no down.

Sorry, as @wittaj has stated and explained why, that's not correct.

 

[MC1987]

Be careful updating that recorder to later versions of firmware, I have observed many get bricked. Update in stages and do not apply the latest straight out

 

[Parasense]

Unix and old firmware isn't the issue - these devices are known to have vulnerabilities and backdoor exploits and cameras with brand new current firmware still get hacked. Getting them off the internet is the only way.

Hikvision can be attacked if given internet access. ANY camera can be hacked - even high end AXIS - they are known for not being secure. Kinda ironic isn't it...

Two posts from just this week:

Advise needed, my Hikvision was hacked/pwned

Long story short, I realized yesterday that one of my Hikvision camera was beeing hacked. Saw that there was a change in camera name (to 'PWNED') and all texts coloured in red. I was not able to connect anymore via Web browser with admin credentials. Totally my fault in that sense, the admin...

ipcamtalk.com

Has my Hikvision ip camera been hacked?

Hello all! Posting a screencap of what appears in my Hikvision camera in BlueIris. Static ip address in my home network is 192.168.0.206 using Port 8095. This Hikvision camera is part of my BlueIris outdoor perimeter DIY 24/7 surveillance system which I am running on a Lenovo TinyPC with...

ipcamtalk.com

Thanks for answer.
I absolutely agree. it's not just the firmware that's the problem here. some security measures need to be taken in general.
at least basic security should be established. as you mentioned, every day a vulnerability is published and it messes up the system

Be careful updating that recorder to later versions of firmware, I have observed many get bricked. Update in stages and do not apply the latest straight out

I never thought of it that way. but I was worried about it, I see that the latest version has been released on the site.
how to proceed for previous sub-versions. For example, if the current version is 2.0, if there is 2.5 first, then 3.0 should be upgraded?

Thanks.