CYFIRMA security researchers found more than 80,000 cameras from Chinese manufacturer Hikvision prone to the critical bug of introducing commands through specially crafted messages sent to a vulnerable web server.
See also our review of the best laptops for hacking
The vulnerability is tracked as CVE-2021-36260 and was fixed by Hikvision with a firmware update in September 2021.
Tens of thousands of systems used by 2,300 organizations in 100 countries have yet to install a security update, according to a new study.
Two publicly available exploits for CVE-2021-36260 were known, one published in October 2021 and the other in February 2022. Attackers of all skill levels could seek out and exploit vulnerable cameras.
In December 2021, a Mirai-based botnet called Moobot used an exploit to aggressively propagate and enable camera systems in a DDoS (distributed denial of service) role.
In January 2022, CISA warned that CVE-2021-36260 was among the actively exploited bugs, warning organizations that attackers could "take control" of devices.
CYFIRMA reports that Russian-language hacker forums often sell entry points into the network, relying on exploited Hikvision cameras to either "botnet" or move within the perimeter. The company analyzed a sample of 285,000 Hikvision Web servers connected to the Internet and identified 80,000 vulnerable cameras.
Most of them are located in China and the United States, while there are more than 2,000 vulnerable endpoints in Vietnam, the UK, Ukraine, Thailand, South Africa, France, the Netherlands and Romania.
CYFIRMA claims cases of cyber espionage by Chinese hacker groups APT41 and APT10, as well as Russian hackers. As an example, they cite a campaign called "think pocket," targeting a popular communications product used in various industries around the world since August 2021.
Featured book: CEH v11 PDF version
In addition to the command injection vulnerability, there is also the problem of weak passwords that users set for convenience or that come with the device by default and are not reset when first set up.
Bleeping Computer found several lists, some of which are available on Clearnet hacker forums for free and contain credentials for live video feeds from Hikvision cameras.
In March of this year, it was revealed that Wyze, a manufacturer of smart home devices, knew about the vulnerability in its equipment for three years, but made no attempt to fix it. The vulnerability was discovered in WyzeCam v1 surveillance cameras. Using it, hackers could spy on other people's homes over the Internet.