A zero-day vulnerability in a digital video recorders (DVR) made by LILIN is being used by malicious actors to create botnet armies.

Using a zero day to infect a device is a new tactic, reported NetLab 360, which uncovered the trend last year when multiple campaigns operated by several different attack groups were found using it to spread the Moobot, Chalubo and FBot botnets.

NetLabs first saw Chalubo was being spread via this vulnerability back in August 2019, this was followed by FBot showing up on Januaryb 11, 2020 which spurred NetLab to first contact LILIN. Moobot was the next to arrive coming online on January 26, at which time the security firm again reached out to the manufacturer.

On February 12 LILIN was supplied with the exploit’s details and two days later firmware version 2.0b60_20200207 was released.

Yiming Gong, director of NetLab 360’s network security research lab, told SC Media it took his team several months to complete its investigation prior to informing LILIN.

“When we talking about IoT 0 days, sometimes it is hard to tell if it is really a zero day or not without specific investigations, as more works need to be done such as to know which vendors and what product lines are involved and if all their most current firmwares are patched. We first saw it on 2019/08/30, but only until 2020/01/11 we realized it is not just a run-of-the-mill attacks and that started the follow up investigations,” he said.

The team found that the LILIN DVR vulnerability has three components all of which must be exploited for the device to be captured by the attacker. The first problem is only two hard-coded login credentials were created and used and these are easily discovered, a command injection flaw where the firmware does not filter special characters in the server field, making command injection possible and FTP and NTP injection vulnerability. The last problem can lead to arbitrary file reading with the follow-on step of allowing a backdoor command to be injected into the DVR.