In a recent advisory, Fortinet’s FortiGuard Labs revealed that threat actors are actively leveraging a five-year-old unpatched vulnerability affecting TBK digital video recorder (DVR) devices. This security flaw, identified as CVE-2018-9995, has a CVSS score of 9.8, categorizing it as critical. It allows remote attackers to potentially gain unauthorized access by bypassing authentication mechanisms.
The flaw stems from improper handling of maliciously crafted HTTP cookies, enabling attackers to elevate their permissions without appropriate authorization. Fortinet noted in its May 1, 2023 outbreak alert that this vulnerability can ultimately provide access to camera feeds.
The company reported a significant surge in exploitation attempts, with over 50,000 incidents detected targeting TBK DVR devices just in April 2023. This alarming trend comes amid the existence of a proof-of-concept exploit available in the wild, yet there remain no patches to mitigate this vulnerability.
Affected models include TBK DVR4104 and DVR4216, with devices also marketed under various brand names such as CeNova, Night OWL, and QSee, among others. The lack of remediation coupled with the public availability of proof-of-concept code enhances the accessibility of these devices to malicious actors.
Furthermore, Fortinet highlighted another critical vulnerability, CVE-2016-20016, with a matching CVSS score of 9.8, which influences MVPower CCTV DVR models. Exploitation of this vulnerability could allow unauthenticated attackers to remotely execute arbitrary commands as root via accessible web shells.
The ongoing issues with these vulnerabilities reflect broader trends in cyber threats aimed at surveillance devices. The combination of over 50,000 detected intrusion attempts and a readily exploitable vulnerability emphasizes how network camera systems are continually targeted by cyber adversaries.
In analyzing potential tactics aligned with the MITRE ATT&CK Framework, the initial access could be achieved through exploiting the authentication bypass vulnerability, leading to privilege escalation. Once successful, persistence methods may be employed to maintain access to compromised devices.
This situation serves as a critical reminder of the importance of robust security measures and regular updates for IoT and network surveillance devices. Organizations must remain vigilant and proactive in addressing such vulnerabilities to protect their assets against informed cyber threats.