When you pass a surveillance camera, you assume it’s doing its one simple job – watching. But malware written specifically for DVR recorders used for surveillance has forced some machines to mine Bitcoin and pass the cryptocurrency to unknown gang masters.
As Wired points out, the low processing power of the Hikvision machines mean that they are very, very bad at mining Bitcoin.
“The low-powered ARM chip is one of the worst possible processors you could pick for the crypto-heavy calculations that make up bitcoin mining,” the magazine commented.
In previous attacks, criminals have focused on machines with enough number-crunching power to generate Bitcoin quickly. Gaming service ESEA admitted a rogue employee had added a Bitcoin miner to its game client, earning thousands of dollars via its use of gamers’ graphics cards, as reported by We Live Security here.
“After accessing a couple of the DVRs, we noticed that the malware was running on the DVR itself. Two pieces of malware typically ran: a customized version of minderd, the Bitcoin miner – [we] actually learned today that, in this case, it may mine Litecoin, not Bitcoin – [and] a piece of software called cmd.so, which initiated the scans for Synology devices that we observed before and that led us to investigate the DVR,” said Johannes Ulrich of SANS Technology Institute.
It’s not clear whether the DVRs were targeted as miners, or simply as a way to spread the malware – infected machines scan for others – and the infected machines all appeared to have a default password.
Ulrich writes, “Last week, we reported that some of the hosts scanning for port 5000 are DVRs (to be more precise: Hikvision DVRs, commonly used to record video from surveillance cameras. The compromisse of the DVR likely happened via an exposed telnet port and a default root password (12345). Analysis of the malware is still ongoing, and any help is appreciated.”
Virus Bulletin’s Martijn Grooten commented, “Kudos to camera DVRs hackers for finding something worse (i.e. very ineffective cryptocurrency mining) to use them for than surveillance.”
Ulrich In a Wednesday email correspondence, Ullrich told SCMagazine.com that the malware was discovered while emulating a Synology disk storage device in an investigation of recent scans for port 5000. He said a lot of the scans came from Hikvision DVRs.
Ullrich suggested that attackers are simply using the Telnet access – essentially a protocol used to access remote computers – because the compromised DVRs all appear to be in default configuration, meaning Telnet is exposed and the root password is set to default (12345).
Although the DVRs were observed looking for Synology disk storage devices, the video recording machines are not the only devices at risk.
“We found one Linux based router that was also affected,” Ullrich said in an interview with SC Magazine. “The larger picture here is that attackers move away from desktops as exploit targets as there are less vulnerable desktops out there. However, the number of badly protected devices is going up exponentially and they turn out to be very hard to patch and secure compared to desktops.”
David Harley, Senior Research Fellow at ESET, said of the earlier ESEA incident, “I remember a time when distributed processing was a pretty specialized area that was sometimes used for volunteer initiatives like SETI@home and various medical research projects.” .
“Along came malicious botnets that harnessed the capabilities of virtual networks for resource-intensive attacks like DDoS and captcha-breaking. I suppose it was inevitable that the bad guys would try harnessing the spare (and not so spare) processing capacity of victim machines as a way of exploiting the much-abused Bitcoin currency.”
Previous ESET stories featuring abuses of Bitcoin can be found here.
Author Rob Waugh, We Live Security