Tens of thousands of login passwords of DVRs from a Chinese maker have been reported compromised, after a security researcher found these credentials indexed in a search engine.
Ankit Anubhav, a principal researcher at Newsky Security, a cybersecurity firm for IoT devices, discovered these passwords being cached inside search results on ZoomEye, an IoT search engine. His further investigation into subject elements led him to Dahua DVRs that are running an outdated firmware, making them vulnerable to a flaw from five years ago.
The vulnerability he profiled was the CVE-2013-6117, a similar vulnerability that security researcher Jake Reynolds first unearthed from his own Dahua DVR back in 2013. It was fixed in the same year but apparently, it persists due to some devices that were not updated.
So CVE-2013-6117 = just connect to port 37777 to get the creds which is stored in plaintext. But the attackers do not even need to write code to connect to the port as they can login to public scanner like ZoomEye which store the output of requests in their website and dump it. pic.twitter.com/M2MyYJ16D9
— Ankit Anubhav (@ankit_anubhav) July 12, 2018
According to a Bleeping Computer report, the number of vulnerable Dahua devices is off the charts, reaching up to 30,000 based on their own research. The website found almost 15,800 Dahua devices with a password of "admin", more than 14,000 with a password of "123456," and more than 600 with a password of "password." These are just three query terms which mean more devices could possibly be in danger.
As Anubhav has explained, the attacker behind CVE-2018-6117 can start a raw TCP connection on these devices on port 37777 to send a special payload. Once the devices receive it, DDNS credentials will be returned to give the attackers access to the devices and other data, all in cleartext.
Anubhav tried to reach out to ZoomEye but failed to get a response at press time. Even more worrying is that new devices are being indexed on the search engine until now.
"Fresh devices keep on being added on ZoomEye, so even if Janitor [the BrickerBot author] bricked some in past, this issue still persists as ZoomEye currently lists recently added devices," Anubhav said.
ZoomEye is yet to comment on the matter.