Experts at 360Netlab observed the Fbot bot infecting a large number of HiSilicon DVR/NVR Soc devices.
Since February 16, 2019, security experts at 360Netlab observed a large number of HiSilicon DVR/NVR Soc devices were infected with an updated version of the Fbot bot.
The Fbot malware was first discovered by 360Netlab researchers, according to the experts, the root problem might be a specific OEM application running on top of the HiSilicon devices.
Scanning the Internet for the IP banner information the experts determined the models of devices that were infected that appear to belong to HiSilicon DVR/NVR Soc device family. The experts only observed a few different camera brands as a number of camera manufacturers OEM HiSilicon DVR/NVR Soc device.
The experts discovered a total of 24528 infected IP addresses worldwide.
The Fbot implements a multiple stage infection process, experts were able to analyze Fbot samples and some payloads, but they annunced the capture of key Exploit Payload only while I was writing this post.
Experts pointed out the attackers exploited the weak security implementation of DVRIP protocol made by the vendor. The attackers set up telnet backdoor and inject Fbot botnet on the target devices.
“First, the device that is infected with Fbot scans TCP: 80, 81, 88, 8000, 8080 ports by issuing basic HTTP requests. When a target device returns the matching characteristics, Fbot will report the IP and port to its Reporter (185.61. 138.13:6565).” reads the analysis published by 360Netlab.
“After that, Fbot Loader (126.96.36.199) logs in to the target device web port through the device default password “admin/empty password”. If the target device responses, Fbot Loader uses the device default password “admin/tlJwpbo6” to log in to the dvrip port. (TCP: 34567).”
Performing Fuzz Testing, the researchers were able to obtain the Fbot Downloader sample and the Fbot download URL.
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.