“Starting from August 30, 2019, 360Netlab Threat Detection System has flagged multiple attack groups using LILIN DVR 0-day vulnerabilities to spread Chalubo
The LILIN zero-day vulnerability is the chain of parts issues:
The zero-day flaw could allow attackers to modify a DVR’s configuration file and inject backdoor commands when the FTP or NTP server configurations are synchronized. Below the attack chain
According to Netlab, NTP time synchronization (NTPUpdate) process doesn’t check for special characters in the server passed as input, allowing attackers to inject and run commands.
The new firmware released by the vendors validated the hostname passed as input to prevent command execution.
“LILIN users should check and update their device firmwares in a timely fashion, and strong login credentials for the device should be enforced.” Netlab concludes.
“The relevant malicious IPs, URLs and domains should be blocked and investigated on
Netlab researchers also included the Indicators of Compromise (IoCs) in their report.