Since at least August last year, several attack groups have been exploiting multiple zero-day vulnerabilities in digital video recorders (DVRs) for surveillance systems manufactured by Taiwan-based LILIN to spread Chalubo, FBot, and Moobot botnets, according to Chinese security firm Qihoo 360's Netlab team.
The first vulnerability resides in the NTPUpdate process and allows attackers to inject and run system commands, while the second one stems from hardcoded credentials (root/icatch99 and report/8Jg0SR8K50), which can be used by an attacker to retrieve and modify a DVR's configuration file, and then execute commands on the device when the FTP or NTP server configurations are synchronized.
According to Netlab team, the Chalubo botnet operators were the first to utilize the NTPUpdate vulnerability to hijack LILIN DVRs last August. Five months later, in January 2020, FBot and Moobot botnets began spreading via the FTP / NTP flaws and the LILIN 0Day FTP vulnerability.
The researchers said they contacted LILIN twice, first after the FBot attacks, and the second time when Moobot infections were detected. In February this year the vendor released a firmware update (2.0b60_20200207) addressing the vulnerabilities.