The alert notes that the fact that there are tens of thousands of TBK DVRs available under several brands, publicly accessible PoC code, and an easy-to-exploit make this issue an attractive target for attackers. The recent increase in IPS detections demonstrates that attackers continue to favor network camera devices as their targets.
DVRs are a crucial component of security surveillance systems because they store and record the video that cameras capture. According to the website for TBK Vision, its products are used by banks, governmental agencies, the retail sector, and other businesses.
These DVR servers are typically found on internal networks to prevent unwanted access to the recorded video because they are used to keep sensitive security footage. Sadly, this makes them appealing to threat actors who can use them to gain initial access to business networks and steal information.
Recent hacking attempts on TBK DVR devices have increased, according to Fortinet’s FortiGard Labs, with the threat actors leveraging a publicly accessible proof of concept (PoC) attack to target a server vulnerability.
The weakness, identified as CVE-2018-9995, is a significant (CVSS v3: 9.8) flaw that allows attackers to circumvent device authentication and obtain access to the vulnerable network.
The TBK DVR devices that are vulnerable to the exploit respond with admin credentials in the form of JSON data via a maliciously constructed HTTP cookie.
A remote attacker might have access to use this issue to get through authentication and get administrative rights, eventually gaining access to camera video feeds, according to a Fortinet security alert.
The TBK DVR4104 and TBK DVR4216, as well as rebranded versions of these machines sold under the (Novo, CeNova, QSee, Pulnix, XVR 5 in 1, Securus, Night OWL, DVR Login, HVR Login, and MDVR brands), are affected by the vulnerability. Fortinet estimates that as of April 2023, there had been over 50,000 attempts to hack TBK DVR devices.
Fortinet claims that the fact that there are thousands of different manufacturers of TBK DVRs, public PoC code, and an easy-to-exploit make this vulnerability a prime target for attackers. The recent increase in IPS detections demonstrates that attackers continue to favor network camera equipment as a target.
Fortinet regrettably is not aware of any security updates to fix CVE-2018-9995. In order to prevent unauthorized access, it is advised to either replace the vulnerable surveillance systems with modern, actively supported ones or disconnect them from the internet.
CVE-2016-20016 (CVSS v3: 9.8, “critical”) is a remote code execution vulnerability affecting MVPower TV-7104HE and TV-7108HE DVRs that enable attackers to execute unauthenticated commands by sending erroneous HTTP requests. This old weakness is also experiencing an “outbreak” of exploitation.
Fortinet has lately observed indications of rising malicious activity utilizing this vulnerability, despite the fact that it has been exploited for long since 2017. Unfortunately, the vendor has not yet provided a patch to address the issue in this instance either.
Conclusion
According to Fortinet experts, TBK’s DVR camera system’s five-year-old vulnerability (CVE-2018-9995) was exploited in April 2023. A camera mistake handling a malicious HTTP cookie causes the high severity flaw. This issue allows a remote attacker to circumvent authentication and get administrator capabilities, allowing camera video stream access. In an Outbreak Alert published Monday, Fortinet reported a rise of more than 50,000 attempted attacks on these machines with unique IPS (intrusion prevention systems) detections last month. The corporation uses this form of advice to alert the cybersecurity industry about incidents that could impact many enterprises.
The notice was issued because a patch for the 2018 vulnerability may not yet be available. The firm advised firms to check installed CCTV camera systems and related equipment for vulnerable types. CCTV-related attacks: CCTV Hacks in an Emerging Cyber-Threat Landscape. According to TBK’s website, 600,000 cameras, 50,000 CCTV recorders, and 300,000 accessories are placed worldwide in banking, retail, government, and other industries, making the vulnerability’s attack surface particularly large.
The notification adds that tens of thousands of TBK DVRs under multiple brands, publicly available PoC code, and an easy-to-exploit vulnerability make this vulnerability a target for attackers. Attackers still target network cameras, as shown by the latest IPS detection spike. Organizations often forget to patch internet-facing equipment like webcams. Patching (or firmware updates) protects most devices, especially Internet-facing ones. “Ideally, manufacturers would set these devices to auto-update by default,” said Netenrich Principal Threat Hunter John Bambenek. Video privacy trends are changing, prompting the Fortinet caution.
