Multiple vulnerabilities exist in LILIN CCTV cameras that have attracted the attention of hackers. The zero-day bugs in LILIN CCTV cameras are currently under active exploitation, hence a need for immediate patching.
LILIN CCTV Cameras Zero-Day
Researchers from 360Netlab Threat Detection System have found many hackers attempting to exploit zero-day vulnerabilities in LILIN CCTV cameras.
As described in their blog post, hackers are actively exploiting the vulnerability to spread Chalubo, FBot, and Moobot botnets. With regard to the vulnerabilities, the researchers stated,
The LILIN 0-day vulnerability is made of 3 parts: hard-coded login credentials, /z/zbin/dvr_box command injection vulnerabilities and /z/zbin/net_html.cgi arbitrary file reading vulnerabilities, /z/zbin/dvr_box provides Web services, and its web interface /dvr/cmd and /cn/cmd have a command injection vulnerability. The injected parameters have been: NTPUpdate, FTP, and NTP.
Patch Rolled Out
The researchers first found the active exploitation of these zero-day vulnerabilities in August 2019. At that time, they found the attackers exploiting the bugs when spreading Chalubo. Then, beginning this year, they also noticed the cybercriminals targeting systems with FBot and Moobot by exploiting the flaws.
Consequently, owing to the continuous prompts sent to the vendors, LILIN eventually patched the flaws with the release of firmware 2.0b60_20200207. The vendors have marked these vulnerabilities as critical with a CVSS score of 10.0. As stated in their advisory, the detected vulnerabilities include,
-DDoS attacks to other Internet devices.
-Telnet gets opened by HTML CGI command.
-PPPoE gets changed to DHCP.
-Fixed host name injection issue for accessing NTP, FTP, DDNS, and MAIL servers.
The affected products include DHD516A, DHD508A, DHD504A, DHD316A, DHD308A, DHD304A, DHD204, DHD204A, DHD208, DHD208A, DHD216, DHD216A.
Users of all affected devices must ensure they update to the respective 2.0b1_20200122 firmware to stay protected from any attacks.
In case the update isn’t available to any user, the vendors advise disconnecting the vulnerable DVR from the internet.
Let us know your thoughts in the comments.