What if you were to discover that the face of Big Brother in 2016, CCTV cameras, were under the control of hackers and were being used to bring down websites in Distributed Denial of Service (DDoS) attacks?
That Orwellian nightmare is actually now true, with a security firm discovering a network of over 25,000 CCTV cameras doing exactly that.
Sucuri, Inc. made the discovery when investigating an attack against an ordinary jewelry store that was flooded offline after constantly receiving 35,000 junk HTTP requests per second over a period of a number of days. When Sucuri attempted to thwart the attack, the botnet actually upped its output and dumped more than 50,000 HTTP requests per second on the store’s website.
“Since this type of long-duration DDoS is not so common, we decided to dive into what the attackers were doing, and to our surprise, they were leveraging only IoT (Internet of Things) CCTV devices as the source of their attack botnet,” the company said in a blog post.
Researchers a Sucuri queried a number of the boxes participating in the DDoS attack and found that all of them were running a “Cross Web Server” that had a default web page called “DVR Components.” Further investigation found that the malicious IPs also contained the company logos of resellers of CCTV services and the common thread was that all the devices were running a Unix-based set of utility tools called BusyBox.
To hide their identities the malicious devices were cloaking themselves to appear, as they were, common user agents such as web browsers, and also displayed false referral data showing they’d most recently come from sites including Google and USA Today.
Infected CCTV installs were found in 104 countries, with the Taiwan topping the list with 24 percent of IP addresses, followed by the United States with 12 percent, Indonesia with 9 percent, Mexico with 9 percent and Malaysia with 6 percent.
Sucuri said there was nothing web site owners could do to get the 25,000+ CCTVs fixed and protected, however, they do encourage online camera users or vendors to make sure their systems are fully patched and isolated from the internet.
“We are in the process of reaching out to the networks that have these unprotected and compromised cameras, but that’s just one small piece of the problem,” the company noted. “Once the cameras are patched, the attackers will find other easily hacked devices for their botnets.”