what the heck is Hikvision trying to do loading software to my hard drive when I haven't installed any...

'Moobot' Botnet Targets Hikvision Devices via Recent Vulnerability
By Ionut Arghire on December 09, 2021


Tweet


A Mirai-based botnet dubbed 'Moobot' is attempting to exploit a recently addressed vulnerability that affects many Hikvision products, according to Fortinet’s FortiGuard Labs.
Tracked as CVE-2021-36260 and affecting over 70 cameras and NVRs from Hikvision, the critical-severity bug can be exploited to gain root access and completely take over vulnerable devices, without any form of user interaction.
Hikvision released patches for the vulnerability on September 18 and, shortly after, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) alerted organizations, urging them to apply the fixes immediately.
Now, Fortinet warns that attackers are attempting to exploit the vulnerability to deploy various payloads that allow them to probe devices or extract sensitive data.
Among them, Fortinet security researchers identified a downloader that attempts to drop the Mirai-based Moobot malware onto vulnerable appliances. The threat was designed to ensnare devices into a botnet capable of launching distributed denial-of-service (DDoS) attacks.
The malware’s analysis revealed elements from Satori, another botnet based on the Mirai code, as well as an attempt to hide its malicious process on the infected device.
Once it has retrieved a command and control (C&C) server address from its configuration, the threat sends out heartbeat packets, and then waits to receive commands from the server. Based on these commands, it can launch DDoS attacks on specific IP addresses and port numbers.
The received command also specifies the flood method that should be used in the attack. Moobot supports SYN, UDP, ACK, and ACK+PUSH floods.
Fortinet researchers were able identify the telegram channel “tianrian” as being employed for offering a DDoS service. Created in June 2021, the channel started the service in August and continues to operate.
“CVE-2021-36260 is a critical vulnerability that makes Hikvision products a target for Moobot. Although a patch has been released to address this vulnerability, this IoT botnet will never stop looking for a vulnerable endpoint. Because of this, users should upgrade affected devices immediately,” Fortinet concludes.
Related: CISA Warns of Hikvision Camera Flaw as U.S. Aims to Rid Chinese Gear From Networks
Related: Cloudflare Battles 2 Tbps DDoS Attack Launched by Mirai Botnet
Related: Mirai Botnet Starts Exploiting OMIGOD Flaw as Microsoft Issues More Guidance
MOO..Turns your system into a dead cow.
 
you must be miss congeniality on your customer service crew, either that or you live in NJ.

I do try and buy my Cameras from the site sponsors and I like Andy he seems to be right on top of these things
 
  • Like
Reactions: sebastiantombs
start over
1) un register BI
2)do a clean install of windows 10
3) install BI the latest stable version
4) manually redefined your cameras.

It is recommend that you set up a dual NIC configuration so the cameras can not see the internet
 
  • Like
Reactions: sebastiantombs
They are targeting you. You know too much. Be afraid. Be very afraid. I would get the tin foil hat on asap and go off grid for a few months.


you must be the FBI agent that the flight instructor called to report that he had muslim students that only wanted to learn how to fly a plane and not land it, or the agent that told the security company that the orlando night club shooter was ok to possess firearms, or perhaps you were piloting the Titanic when the forward observer said"there is an Iceberg ahead"
 
you must be the FBI agent that the flight instructor called to report that he had muslim students that only wanted to learn how to fly a plane and not land it, or the agent that told the security company that the orlando night club shooter was ok to possess firearms, or perhaps you were piloting the Titanic when the forward observer said"there is an Iceberg ahead"
Yes. I am. In fact this entire site is run by the FBI. Google honeypot. We inject code into your network. Wiping your pc wont help. Make sure you toss your router.
 
  • Haha
Reactions: sebastiantombs
Yes. I am. In fact this entire site is run by the FBI. Google honeypot. We inject code into your network. Wiping your pc wont help. Make sure you toss your router.
I tossed it, but it hit a grumpy old man that was playing a fender bass upside down and left handed. plugged the router back in and it is full of Glowies
 
  • Haha
Reactions: sebastiantombs
Somehow your cameras are still connected to the internet. I agree with others, start over fresh and make sure there is no connection.

We had a member here recently that kept having dropped signals. In addition to finding out that his POE switch was underpowered, after much insistence by several of us to draw out a network topology diagram and after the hesitancy to do so by the OP, once he finally did, he found out that yes indeed his cameras were provided internet access two ways - one he had a cable from his "non-internet" switch connected to his router, and he had two IP subnets assigned to his 2nd NIC - an IP of the "non-internet" as well as the IP of his internet.
 
can someone say....Wireshark, to get all your answers?
 
  • Like
Reactions: sebastiantombs
can someone say....Wireshark, to get all your answers?
is it safe? I might be confusing it with another program, but don't you have to be an it guru to understand what you are looking at
 
Sad day indeed but I agree with @fenderman

From what you’ve posted you’re trying to blame anybody and everybody but ultimately it is all down to you to both diagnose, investigate and then take corrective actions, if needed.

I currently work for a major bank in the UK and we get notified of all CVE notices which we examine and then decide if there is a direct or indirect impact then plan a course of action.

With your original popup has that now been resolved and have you checked to see if your cam have access to the internet? Also don’t forget that a plug-in install request can originate from the cam when you logon to it but that doesn’t necessarily mean that the cam has internet access or that the manufacturer is trying to slyly install something onto your PC.
 
  • Like
Reactions: sebastiantombs
Sad day indeed but I agree with @fenderman

From what you’ve posted you’re trying to blame anybody and everybody but ultimately it is all down to you to both diagnose, investigate and then take corrective actions, if needed.

I currently work for a major bank in the UK and we get notified of all CVE notices which we examine and then decide if there is a direct or indirect impact then plan a course of action.

With your original popup has that now been resolved and have you checked to see if your cam have access to the internet? Also don’t forget that a plug-in install request can originate from the cam when you logon to it but that doesn’t necessarily mean that the cam has internet access or that the manufacturer is trying to slyly install something onto your PC.
the other PC had the same warning 2 hours ago, I just refused to allow the update
 
is it safe? I might be confusing it with another program, but don't you have to be an it guru to understand what you are looking at
Wireshark is a diagnostic tool. Watch a Youtube video or two and learn the basics. Anything IP related can be seen, diagnosed, and troubleshooted with this tool.
 
  • Like
Reactions: sebastiantombs
well... Wireshark was created by an odd sort of people. Which you already know:
Caption Sum Ting Wong
Wi Tu Lo
Ho Lee Fuk
gotta watch out for these guys!
 
  • Haha
Reactions: sebastiantombs
It is not safe. Nothing is safe. Your dvd drive is not safe. Your pc case is not safe. Its all a conspiracy.
ATTACH]
 

Attachments

  • 1643074622813.png
    1643074622813.png
    266.1 KB · Views: 17
I had the same thing after my fresh install before i changed the NIC property's. Looks like the Hik cam's are phoning home on an open network the minute you turn on internet access. Haven't had it re-occure after seperating the cam NIC from the rest of the network.
 
  • Wow
Reactions: sebastiantombs
'Moobot' Botnet Targets Hikvision Devices via Recent Vulnerability
By Ionut Arghire on December 09, 2021

Google Dahua and security vulnerabilities.

Every camera brand has vulnerabilities, some of which don't get fixed for years. This is why most people in the know deny their cameras internet access by putting them on a 2nd network card with a Gateway address that doesn't correspond to any known network thus isolating them from being able to connect to the internet or talk to any other network physically connected to the BI pc.

The other trouble with internet access is the possibility of cameras updating firmware themsleves and the risks of updating firmware are not disimilar to updating the BIOS on a Motherboard. ie if it goes wrong you're FUBARED.

Cameras will die over time. Work through the necessary troubleshooting steps on each one to see if they're recoverable due to some setting or change being responsible and if they've got internet access get them on a 2nd NIC. If they're more than 5 years old it could just be age. Try standing outside in the heat , cold, rain, snow wind for 5 years continuosly and see how well you're working at the end of it.

Somewhow, I have a sneeking feeling you're probably port forwarding as well....
 
Google Dahua and security vulnerabilities.

Every camera brand has vulnerabilities, some of which don't get fixed for years. This is why most people in the know deny their cameras internet access by putting them on a 2nd network card with a Gateway address that doesn't correspond to any known network thus isolating them from being able to connect to the internet or talk to any other network physically connected to the BI pc.

The other trouble with internet access is the possibility of cameras updating firmware themsleves and the risks of updating firmware are not disimilar to updating the BIOS on a Motherboard. ie if it goes wrong you're FUBARED.

Cameras will die over time. Work through the necessary troubleshooting steps on each one to see if they're recoverable due to some setting or change being responsible and if they've got internet access get them on a 2nd NIC. If they're more than 5 years old it could just be age. Try standing outside in the heat , cold, rain, snow wind for 5 years continuosly and see how well you're working at the end of it.

Somewhow, I have a sneeking feeling you're probably port forwarding as well....

I agree everything has their issues and if it is connected it can be hacked. that being said one of the reasons I have been buying Dahua from andy is he makes things right and very quickly whereas I had a Hikvision speed dome from another vendor on here and while it was still under warranty it malfunction and I was told too bad so sad. that was a 1k mistake, but it seems to be the attitude of hikvision unless you have it installed by their dealer.
 
  • Wow
Reactions: sebastiantombs