LIFARS Insights: 0-day Flaws in LILIN IP cameras and DVRs exploited in the wild

The rise in IoT devices is something that hackers are increasingly looking to exploit. There will be approximately 25 billion IoT connections by 2025, according to Gartner. Experts agree the attack surface will grow as more organizations encourage work-from-home policies.

According to the researchers (360Netlab), LILIN DVRs are vulnerable to attacks due to default credentials and hardcoded passwords. They are also affected by the command-injection vulnerability. Researchers detected three botnets utilizing 0-days in LILIN DVRs.

The first botnet to exploit one of the flaws was the Chalubo botnet, abusing a vulnerability in the NTPUpdate process, which lets attackers inject and run system commands.

The second one was the FBot botnet, abusing two hardcoded credentials:  root/icatch99 and report/8Jg0SR8K50 to retrieve and modify DVR’s config file, and then execute commands on the device, when the File Transfer Protocol (FTP) server configuration is synchronized.  FBot botnet used also Network Time Protocol (NTP) service to execute commands.

The last one – Moobot botnet was abusing hardcoded credentials as the FBot botnet.

360Netlab suggests LILIN users check and update their device firmware (version 2.0b60_20200207 fixes the vulnerability) in a timely fashion, and strong login credentials for the device should be enforced. The relevant malicious IPs, URLs, and domains should be blocked and investigated on users’ network.