Incident Response, TDR

DDoS botnet comprised of nearly a thousand CCTV cameras

After observing a distributed denial-of-service (DDoS) attack targeting a client, researchers with Incapsula identified a DDoS botnet comprised of nearly a thousand closed-circuit television (CCTV) cameras.

The attack – which consisted of HTTP GET floods peaking at 20,000 requests per second – had traffic originating from approximately 900 CCTV cameras worldwide, a Wednesday blog post said, explaining the attack targeted a “rarely-used asset of a large cloud service, catering to millions of users worldwide.”

The cameras were open to being compromised because they were remotely accessible and used default or easily guessed credentials, the blog post said.

Another common link between all compromised CCTV cameras was that each one was running embedded Linux with BusyBox, software that combines small versions of common UNIX utilities into a single small executable.

“The malware we found inside them was an ELF binary for ARM named (.btce) a variant of the ELF_BASHLITE (a.k.a. Lightaidra and GayFgt) malware that scans for network devices running on BusyBox, looking for open Telnet/SSH services that are susceptible to brute force dictionary attacks,” the post said, adding the variant can also launch HTTP GET flood DDoS attacks from compromised devices.

In comments emailed to on Monday, Tim Erlin, director of IT security and risk strategy at Tripwire, said that the incident is a reminder that any device can be attacked so long as it has an operating system and is on the internet.

“Protecting these devices starts with visibility,” Erlin said. “In many cases, the responsible organizations simply don't know they're on the network or accessible. Just because a third party vendor installs devices on your network, doesn't mean you should trust they've secured them properly. You must require secure configurations and verify them continuously after deployment.”

Lasse Andresen, CTO of ForgeRock, said in comments emailed to on Monday that this incident shows how usernames and passwords are no longer sufficient for securing systems, particularly when it comes to the Internet of Things (IoT).

“The solution is to use contextual identity and access management (IAM) to protect the IoT from hackers,” Andresen said. “Using contextual cues like location and time to authenticate the identity of users and authorize access to IoT devices provides an added level of security.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.