Go to listing page

Attackers Exploit LILIN DVR Zero-Day Vulnerabilities to Spread Three Different Botnets

Attackers Exploit LILIN DVR Zero-Day Vulnerabilities to Spread Three Different Botnets
  • The campaign was observed to be active since August 2019 until the vendor finally patched the vulnerabilities in February 2020.
  • Chalubo was the first botnet to abuse the NTPUpdate vulnerability to take over LILIN DVRs starting late August last year. 

Zero-day vulnerabilities in LILIN video recorders have been found to be abused widely to spread at least three botnets, namely Chalubo, FBot, and Moobot. The campaign was observed to be active since August 2019 until the vendor finally patched the vulnerabilities in February 2020.

What are the LILIN zero-day flaws?
Described by Netlab team, the LILIN zero-day flaw is a chain of vulnerabilities that makes use of hard-coded login credentials (root/icatch99, report/8Jg0SR8K50), potentially granting attackers the ability to modify a DVR’s configuration file and inject backdoor commands when the FTP or NTP server configurations are in sync.  

Netlab says that Chalubo was the first botnet to abuse the NTPUpdate vulnerability to take over LILIN DVRs starting late August last year. 

The exploitation of second and third zero-days became active in January this year with the FBot botnet operators. Two weeks later, the Moobot botnet operators began abusing the second zero-day to spread the botnet.

The motive for exploiting the zero-days is still unclear. However, the past attacks from these botnets highlight that they are primarily used to perform DDoS attacks on websites and DNS services. 

How to stay safe?
The vendor of LILIN has issued patches for the vulnerabilities. LILIN users should check and updated their device firmware to prevent their devices from being attacked. Additionally, strong credentials for the devices should also be enforced to make it difficult for botnets to hack them.
Cyware Publisher

Publisher

Cyware