This Week In Security: Somebody’s Watching, Microsoft + Linux, DDoS

In case you needed yet another example of why your IoT devices shouldn’t be exposed to the internet, a large swath of Hikvision IP Cameras have a serious RCE vulnerability. CVE-2021-36260 was discovered by the firm Watchful_IP in the UK. In Hikvision’s disclosure, they refer to the problem as a command injection vulnerability in the device’s web interface. The vuln is pre-authentication, and requires no user interaction. This could be something as simple as a language chooser not sanitizing the inputs on the back-end, and being able to use backticks or a semicolon to trigger an arbitrary command.

Now you’re probably thinking, “I don’t use Hikvision cameras.” The sneaky truth is that a bunch of cameras with different brand names are actually Hikvision hardware, with their firmware based on the Hikvision SDK. The outstanding question about this particular vulnerability is whether it’s present in any of the re-labelled cameras. Since the exact vulnerability has yet to be disclosed, it’s hard to know for sure whether the relabeled units are vulnerable.  But if we were betting…

In retrospect it should probably be obvious, but the Windows Subsystem for Linux was destined to be yet another vector for infection for Windows machines. It’s finally happened in the wild, and Black Lotus Labs has the scoop. The actual malware sample is a Python script compiled into an ELF binary, designed to run inside the WSL environment. From there, it makes calls out to the Windows API. The advantage of using WSL for malware is that this escape detection by most of the security products on the market.

Leave a Comment