A Device Using Your Network is Infected – What Is On Your Network?

Posted by selectsecuresolutions On February 12, 2024

A small business grows and adds a new location and receives the following regarding the inherited Spectrum account:

Have you ever received such a notice or know someone who has?

We were able to work with them and started an external scan based on the IP address and guess what we found? There was existing connected equipment still in the building.

(the IP address was moved for privacy purposes)

We found open ports that were exposed externally. There was no additional firewall or router outside of the Spectrum modem/router. This type of configuration is typically seen. Why were the ports open? Someone manually opened these ports to have access to the cameras remotely. After a bit of research during the scan we found the following:

All of the ports led to the Hikvision NVR and this device was hacked!!! The firmware version was 3.0.4.130819 and had not been updated in over 10 years. The Busybox toolset is actually a toolset that was added to the camera operating system. Newer Hikvision systems make sure that it is no longer available nor is Telnet an option.

It would be best to keep this in consideration from the FCC: FCC Bans Authorizations for Devices That Pose National Security Threat.

“The Report and Order applies to future authorizations of equipment identified on the Covered List published by the FCC’s Public Safety and Homeland Security Bureau pursuant to the Secure and Trusted Communications Networks Act of 2019. The new rules prohibit the authorization of equipment through the FCC’s Certification process, and makes clear that such equipment cannot be authorized under the Supplier’s Declaration of Conformity process or be imported or marketed under rules that allow exemption from an equipment authorization. The Covered List (which lists both equipment and services) currently includes communications equipment produced by Huawei Technologies, ZTE Corporation, Hytera Communications, Hangzhou Hikvision Digital Technology, and Dahua Technology (and their subsidiaries and affiliates). The new rules implement the directive in the Secure Equipment Act of 2021, signed into law by President Biden last November, that requires the Commission to adopt such rules.”

With permission, we were able to perform an internal scan and it became scarier when were saw how bad it was. There were active inbound/outbound connections using Telnet (port 23) and FTP (port 21).

File Transfer Protocol is used to download, upload and transfer files from one location to another over the internet and between computers.

Telnet is a way to connect to a device remotely and there were many remote connections. In a 24-hour period over 2.4 million inbound/outbound connection attempts were made to/from countries such as Russia, China, Bulgaria, Fiji, Argentina, Kuwait, Brazil, Colombia, Seychelles, Vietnam, Pakistan, Hong Kong, Bosnia & Herzegovina, and many more.

To add something more, the camera system is on the same network as everything else that is used for work. Do you see the problem? Could other devices on the network be affected? Yes, they would also be at risk.

Would this scare you? Most have no idea what is happening on their network because they have no way to gain the visibility. Now this owner knows what not known at first and now has opportunity to do something about it.

You may be thinking that if they are making the newer cameras more secure there should not be an issue, right?

The problem is not entirely with the vendor. Who is responsible for keeping the device updated?

Let’s compare it with a vehicle. You buy a new vehicle and who is responsible for the maintenance and upkeep of the vehicle? The current owner or lease is still responsible for changing the oil, refueling, checking the tires, the coolant and other levels. If one does not, it is negligence, and the owner is the blame.

The owner needs to keep the firmware updated and is responsible to keep it secure by determining if ports will be opened:

should there be a firewall?
should the camera be isolated on its own network?
will the password be strong and unique for each user?

Cameras are not the only IoT (internet of things) devices on the network. Some of them use UPnP, Universal Plug and Play. This makes it easier because you do not have to open a port, it is done automatically because the connection is made from the inside out. These can be picked up during an internal and external scan.

This compromised DVR/NVR is best replaced with tighter security controls implemented. We will help the owner to do just that.

Do you know what is on your network, using your internet connection? Most have no idea till someone tells them. In fact, most never know of a compromise until they see something on their screen or someone tells them.

We can provide you with insight into what you don’t know so that you can make an informed risk-based decision. Then you will be able to answer the question, what’s on your network?

You will know for that point in time 😊