skip to Main Content

Cybercrime, Hikvision products targeted by Moobot

Fortinet: Hikvision products have been actively targeted by Moobot. The threat actors leverage the critical vulnerability CVE-2021-36260 to install and run the malware, a Mirai botnet variant

The Hikvision IP Network Video Recorder (NVR) products are still being actively targeted by cybercrime via the Mirai-based DDoS botnet Moobot. This, thanks to a critical vulnerability: CVE-2021-36260. It has been discovered by the Fortinet cybersecurity experts. CVE-2021-36260 results from insufficient input validation, allowing unauthenticated users to inject a downloader into a <language> tag to trigger a command injection attack on a Hikvision product. The malicious code then installs the main botnet: Moobot. It downloads the malware with “/arm5” URI form server 199.195.250[.]233:80 and prints “RAY” if the downloading process was successful. Moreover, Moobot has some elements from Satori, another Mirai variant botnet.

Back To Top