An exploit for AVTech DVR, NVR and IP Cameras was discovered in October 2016 after the released of an advisory by Security Evaluation Analysis and Research Laboratory.
14 Vulnerabilities was discovered in firmware of AVTECH DVR, NVR, IP Cameras and other devices of the AVTECH CCTV manufacturer.
These vulnerabilities include
- Plaintext Storage of Administrative Password
- Missing CSRF protection
- Unauthenticated information disclosure
- Unauthenticated SSRF in DVR Devices
- Unauthenticated command injected in DVR devices
- Authentication bypass #1 & #2
- Unauthenticated file download from web root
- Login captcha bypass #1 & #2
- Https used without certificate verification
- Three other kinds of authenticated command injection vulnerabilities
Elitelands, an expert malware group, had designed a botnet that capitalised on these vulnerabilities to perform DDoS attacks, steal information, spam and grating ownself access to the attacked device. The hackers claimed that he does not intend to use this botnet to particularly carry out such attacks but rather to warn people of the capabilities such vulnerabilities exploits posed.
Just like recent Hide ‘N Seek botnet which worked to hacked AVTECH devices, this new botnet named “Death” aims to do the same with a better design code.
The intentions of EliteLands were revealed by NewSky Security’s researcher, Ankit Anubhav as “The Death botnet has not attacked anything major yet but I know it will. The Death botnet purpose was originally just to DDoS, but I have a greater plan on it soon. I don’t really use it for attacks, only to get customers aware of the power it has.”
As of 2017 March, AVTECH had came forward to work with SEARCH-Lab to improve the security systems on their devices. Firmware updates were sent out to patch some of the issues on the newer devices, but a large number of vulnerabilities remains. Older EOL AVTECH devices firmware remains unpatched by the AVTECH Manufacturer till today and there’s no plans to release any updated firmware for the older AVTECH Devices which remains connected to the internet.
Death Botnet works to exploit the remaining vulnerabilities to access the CCTV network of AVTech and its IoT devices, putting users of the brand’s products at high risk. The particular vulnerability that makes this all possible is the command injection vulnerability in the devices, making them read passwords as shell command. Anubhav explained that EliteLands uses burner accounts to execute payload on devices and infect them, and according to him, over 130,000 AVTech devices were vulnerable to exploit previously and 1200 such devices can still be hacked using this mechanism.
In June 2018, AVTech came out with a security bulletin warning users of the risk of these attacks and recommending that users change passwords. However, this is not a solution. Prior firmware updates from the company have worked to reduce the number of exploitable vulnerabilities but further such updates are required to entirely mitigate the risk posed. (http://220.127.116.11/e_news/Security/security_a.html)
However, upgraded firmwares are only available to newer model of the AVTECH devices and older models still remains vulnerable.
It’s highly recommended that customer remove access from the Internet to AVTECH Devices, reload the firmware (if possible), reset the device to factory default and reconfigure the DVR again to flush the firmware of possible malware infection.
If you require internet viewing, do it vie a VPN connection to your site if you are using AVTECH DVR. If you expose the DVR to the internet after flushing the malware, it’ll most likely get infected and hacked again.
Note that flushing of firmware is only possible for the newer model with updated firmware from AVTECH.