At least three botnet operators have secretly exploited three zero-day vulnerabilities in LILIN digital video recorders (DVRs) for more than six months before the vendor finally patched the bugs last month, in February 2020.
Digital video recorders are devices installed on company networks that aggregate video feeds from local CCTV or IP camera systems and record it on various types of storage systems, like HDDs, SSDs, USB flash drives, or SD memory cards.
In a blog post published yesterday, the Netlab team at Chinese security firm Qihoo 360 said it detected three botnets utilizing zero-days in LILIN DVRs.
- A vulnerability in the NTPUpdate process lets attackers inject and run system commands
- Through the use of one of two hardcoded credentials (root/icatch99 and report/8Jg0SR8K50) an attacker can retrieve and modify a DVR's config file, and then execute commands on the device when the FTP (File Transfer Protocol) server configuration is periodically synchronized.
- Similar to above, but via the NTP (Network Time Protocol) service.