Cybercriminals Are Selling Access to Chinese Surveillance Cameras - Related to your, when, cybercriminals, selling, what

Cybercriminals Are Selling Access to Chinese Surveillance Cameras

New research indicates that over 80,000 Hikvision surveillance cameras in the world today are vulnerable to an 11 month-old command injection flaw.

Hikvision – short for Hangzhou Hikvision Digital Technology – is a Chinese state-owned manufacturer of video surveillance equipment. Their consumers span over 100 countries (including the United States, despite the FCC labeling Hikvision “an unacceptable risk to [website] national security” in 2019).

Last Fall, a command injection flaw in Hikvision cameras was revealed to the world as CVE-2021-36260. The exploit was given a “critical” [website] out of 10 rating by NIST.

Despite the severity of the vulnerability, and nearly a year into this story, over 80,000 affected devices remain unpatched. In the time since, the researchers have discovered “multiple instances of hackers looking to collaborate on exploiting Hikvision cameras using the command injection vulnerability,” specifically in Russian dark web forums, where leaked credentials have been put up for sale.

The extent of the damage done already is unclear. The authors of the investigation could only speculate that “Chinese threat groups such as MISSION2025/APT41, APT10 and its affiliates, as well as unknown Russian threat actor groups could potentially exploit vulnerabilities in these devices to fulfill their motives (which may include specific geo-political considerations).”.

With stories like this, it’s easy to ascribe laziness to individuals and organizations that leave their software unpatched. But the story isn’t always so simple.

, senior director of threat intelligence at Cybrary, Hikvision cameras have been vulnerable for many reasons, and for a while. “Their product contains easy to exploit systemic vulnerabilities or worse, uses default credentials. There is no good way to perform forensics or verify that an attacker has been excised. Furthermore, we have not observed any change in Hikvision’s posture to signal an increase in security within their development cycle.”.

A lot of the problem is endemic to the industry, not just Hikvision. “IoT devices like cameras aren’t always as easy or straightforward to secure as an app on your phone,” Paul Bischoff, privacy advocate with Comparitech, wrote in a statement via email. “Updates are not automatic; clients need to manually download and install them, and many clients might never get the message. Furthermore, IoT devices might not give clients any indication that they’re unsecured or out of date. Whereas your phone will alert you when an improvement is available and likely install it automatically the next time you reboot, IoT devices do not offer such conveniences.”.

While individuals are none the wiser, cybercriminals can scan for their vulnerable devices with search engines like Shodan or Censys. The problem can certainly be compounded with laziness, as Bischoff noted, “by the fact that Hikvision cameras come with one of a few predetermined passwords out of the box, and many individuals don’t change these default passwords.”.

Between weak security, insufficient visibility and oversight, it’s unclear when or if these tens of thousands of cameras will ever be secured.

As cloud security evolves in 2025 and beyond, organizations must adapt to both new and evolving real...

Fake travel reservations are exacting more pain from the travel weary, already dealing with the mise...

Separate fixes to macOS and iOS patch respective flaws in the kernel and WebKit that can allow threa...

What Is Attack Surface Management?

Attack surfaces are growing faster than security teams can keep up – to stay ahead, you need to know what's exposed and where attackers are most likely to strike.

With cloud adoption dramatically increasing the ease of exposing new systems and services to the internet, prioritizing threats and managing your attack surface from an attacker's perspective has never been more crucial.

In this guide, we look at why attack surfaces are growing and how to monitor and manage them properly with tools like Intruder. Let's dive in.

First, it's key to understand what we mean when we talk about an attack surface. An attack surface is the sum of your digital assets that are 'reachable' by an attacker – whether they are secure or vulnerable, known or unknown, in active use or not.

You can also have both internal and external attack surfaces - imagine for example a malicious email attachment landing in a colleague's inbox, vs a new FTP server being put online.

Your external attack surface changes continuously over time, and includes digital assets that are on-premises, in the cloud, in subsidiary networks, and in third-party environments. In short, your attack surface is anything that a hacker can attack.

Attack surface management (ASM) is the process of discovering these assets and services and reducing or minimizing their exposure to prevent hackers exploiting them.

Exposure can mean two things: current vulnerabilities, such as missing patches or misconfigurations that reduce the security of the services or assets. But it can also mean exposure to future vulnerabilities or determined attacks.

Take for example an admin interface like cPanel, or a firewall administration page – these may be secure against all known current attacks today, but a vulnerability could easily be discovered in the software tomorrow – in which case it would immediately become a significant risk. So while traditional vulnerability management processes would say "wait until a vulnerability is detected and then remediate it", attack surface management would say "get that firewall admin panel off the internet before it becomes a problem!".

That's not to mention that having a firewall admin panel exposed to the internet opens it up to other attacks, regardless of a vulnerability being discovered. For example, if an attacker discovers some admin credentials elsewhere, they could potentially reuse those credentials against this admin interface, and this is often how attackers expand their access across networks. Equally, they may just try a sustained "low and slow" password guessing exercise which goes under the radar but eventually yields results.

To highlight this point in particular, ransomware gangs were reported in 2024 targeting VMware vSphere environments exposed to the internet. By exploiting a vulnerability in these servers, they were able to gain access and encrypt virtual hard disks of critical infrastructure to demand huge ransoms. It was reported there are over two thousand vSphere environments still exposed.

So for multiple reasons, reducing your attack surface today makes you harder to attack tomorrow.

So, if a significant part of attack surface management is reducing exposure to possible future vulnerabilities by removing unnecessary services and assets from the internet, the first step is to know what you have.

Often considered the poor relation of vulnerability management, asset management has traditionally been a labor intensive, time-consuming task for IT teams. Even when they had control of the hardware assets within their organization and network perimeter, it was still fraught with problems. If just one asset was missed from the asset inventory, it could evade the entire vulnerability management process and, depending on the sensitivity of the asset, could have far reaching implications for the business. This was the case in the Deloitte breach in 2016, where an overlooked administrator account was exploited, exposing sensitive client data.

When companies expand through mergers and acquisitions too, they often take over systems they're not even aware of – take the example of telco TalkTalk which was breached in 2015 and up to 4 million unencrypted records were stolen from a system they didn't even know existed.

Today, it's even more complicated. Businesses are migrating to cloud platforms like Google Cloud, Microsoft Azure, and AWS, which allow development teams to move and scale quickly when needed. But this puts a lot of the responsibility for security directly into the hands of the development teams – shifting away from traditional, centralized IT teams with change control processes.

While this is great for speed of development, it creates a visibility gap, and so cyber security teams need ways to keep up with the pace.

Attack surface management if anything is the recognition that asset management and vulnerability management must go hand-in-hand, but companies need tools to enable this to work effectively.

A good example: an Intruder customer once told us we had a bug in our cloud connectors - our integrations that show which cloud systems are internet-exposed. We were showing an IP address that he didn't think he had. But when we investigated, our connector was working fine – the IP address was in an AWS region he didn't know was in use, somewhat out of sight in the AWS console.

This presents how attack surface management can be as much about visibility as vulnerability management.

If you use a SaaS tool like HubSpot, they will hold a lot of your sensitive customer data, but you wouldn't expect to scan them for vulnerabilities – this is where a third-party risk platform comes in. You would expect HubSpot to have many cyber security safeguards in place – and you would assess them against these.

Where the lines become blurred is with external agencies. Maybe you use a design agency to create a website, but you don't have a long-term management contract in place. What if that website stays live until a vulnerability is discovered and it gets breached?

In these instances, third party and supplier risk management software and insurance help to protect businesses from issues such as data breaches or noncompliance.

6 ways to secure your attack surface with Intruder.

By now, we've seen why attack surface management is so essential. The next step is turning these insights into concrete, effective actions. Building an ASM strategy means going beyond known assets to find your unknowns, adapting to a constantly changing threat landscape, and focusing on the risks that will have the greatest impact on your business.

Here are six ways Intruder helps you put this into action:

Intruder continuously monitors for assets that are easy to lose track of but can create exploitable gaps in your attack surface, such as subdomains, related domains, APIs, and login pages. Learn more about Intruder's attack surface discovery methods.

2. Search for exposed ports and services.

Use Intruder's Attack Surface View (shown below) to find what's exposed to the internet. With a quick search, you can check your perimeter for the ports and services that should – and, more importantly, shouldn't – be accessible from the internet.

Intruder provides greater coverage than other ASM solutions by customizing the output of multiple scanning engines. Check for over a thousand attack surface specific issues, including exposed admin panels, publicly-facing databases, misconfigurations, and more.

4. Scan your attack surface whenever it changes.

Intruder continuously monitors your attack surface for changes and initiates scans when new services are detected. By integrating Intruder with your cloud accounts, you can automatically detect and scan new services to reduce blind spots and ensure all exposed cloud assets are covered within your vulnerability management program.

When a new critical vulnerability is discovered, Intruder proactively initiates scans to help secure your attack surface as the threat landscape evolves. With Rapid Response, our security team checks your systems for the latest issues being exploited faster than automated scanners can, alerting you immediately if your organization is at risk.

6. Prioritize the issues that matter most.

Intruder helps you focus on the vulnerabilities that pose the greatest risk to your business. For example, you can view the likelihood of your vulnerabilities being exploited within the next 30 days and filter by "known" and "very likely" to generate an actionable list of the most significant risks to address.

Get started with attack surface management.

Intruder's EASM platform is solving one of the most fundamental problems in cybersecurity: the need to understand how attackers see your organization, where they are likely to break in, and how you can identify, prioritize and eliminate risk. Book some time in with our team to find out how Intruder can help protect your attack surface.

improvement: Added statement from Apple below.

The first Apple-notarized porn app, "Hot Tub," is now ava...

A security vulnerability has been disclosed in AMD's Secure Encrypted Virtualization (SEV) that coul...

New research indicates that over 80,000 Hikvision surveillance cameras in the world today are vulner...

When you shouldn’t patch: Managing your risk factors

So imagine my surprise when attending Qualys QSC24 in San Diego to hear a number of conference speakers say that patching shouldn’t be an automatic reaction. In fact, they say, there are times when it is advanced not to patch at all.

No, you don’t need to fix everything, says Dilip Bachwani, Chief Technology Officer with Qualys.

“It’s not practical,” Bachwani adds. “Even if there is a vulnerability, it may not apply in your environment.” It could be an application that isn’t an internet-facing asset or something secured through other controls.

The knee-jerk reaction when a new patch is released is to get it installed as quickly as possible to prevent a vulnerability from turning into a cyber incident. However, Bachwani and his Qualys colleagues stress that security teams need to take a step back and evaluate their organization’s risk threshold.

What that evaluation will first discover is a lot of vulnerabilities across their infrastructure. A study by Coalition expects the total number of common vulnerabilities and exposures (CVEs) to increase by 25% in 2024 to 34,888 vulnerabilities, or nearly 3,000 per month.

“New vulnerabilities are ,” Tiago Henriques, Coalition’s Head of Research, says. “Most organizations are experiencing alert fatigue and confusion about what to patch first to limit their overall exposure and risk.”.

With the steady increase in the number of CVEs, it is easy to think that every vulnerability is critical — and if every vulnerability is given an equal risk value, patching becomes overwhelming. The researchers at Qualys recommend prioritizing the risk involved with each vulnerability so that you can determine what should be patched first and what might not need to be patched at all.

How to prioritize your organization’s vulnerabilities.

To prioritize vulnerabilities, it requires knowing all of your assets across the organization and identifying and monitoring the attack surface. However, Qualys research found that only 9% of companies are actively monitoring 100% of their attack surface. Shadow IT, third-party vendors and risks, a digital transformation made too quickly and without an assessment of technologies and assets added and not recognizing emerging threat vectors are just some of the reasons why organizations are unable to properly monitor their attack surface.

Deploying an attack surface management program will identify what technologies are attached to your network and where and what assets need protection. The critical requirements of an attack surface management program are:

Dynamic cybersecurity needs with rapid identification.

Unauthorized software tracking in real-time.

The more familiar you become with the systems accessing your network, the easier it will be to know your corporate assets and prioritize their importance. When levels of risk tolerance are assigned to these assets, it will then be easier to prioritize critical and non-critical vulnerabilities to be patched or, in some cases, not patched.

Patching protocols should be unique to your organization, based on your internal measures of mission-critical and risk tolerance. Whereas one organization may decide that the most critical vulnerabilities must be patched immediately, another may find that seven days is the ultimate time frame to reduce risk for the most critical assets. Patch management programs will tier their assets, beginning with the most critical and can’t afford downtime if something goes wrong and down through secondary tiers with longer wait times.

But there are times when it is smart to slow down or even eliminate the patching process. They include:

An crucial and time-sensitive project is in progress and requires uninterrupted computer time.

Reports of bugs in the patch or it creates compatibility problems with the application in a testing sample.

The vulnerable software is limited in scope within the organization and can be isolated.

Other mitigating controls can be put in place.

The application never uses the functions with the known vulnerability.

The costs of patching outweigh the benefits. If the code is outdated and needs to be rewritten, for example, then it doesn’t make sense to take the time and expense to apply the patch.

With the increase of CVEs and the always looming threat of a cyber incident, many organizations are looking at how to maximize their cybersecurity insurance. With the strict rules and audits in place to be eligible for cybersecurity insurance, is taking an approach to only patch when it is truly necessary going to downgrade your organization with insurance companies?

Bachwani says no. “I actually think a solution like this will enable cyber insurers to be more effective.”.

The way the insurance marketplace works today is that it is less focused on the organization’s internal data and more on the organization’s overall cybersecurity posture.

“If I’m able to clearly demonstrate that we internally have really good hygiene, my insurance should be lower,” says Bachwani.

In the end, the decision on whether or not to patch will come down to one singular issue: What is the value to the business by patching or not patching? And that is determined by the organization’s risk tolerance. Recognizing the consequences of downtime or a cyber incident will help prioritize critical vulnerabilities that require time and resources to patch. But also being willing to accept that you can’t patch everything will give your team the space to focus on bigger risk threats.

Behörden und Cybersicherheitsfachleute haben gravierende Sicherheitsbedenken gegen die chinesische KI DeepSeek. Dabei geht es um mehrere Punkte: die o......

Ivanti warnt vor mehreren, teils kritischen Sicherheitslücken in der VPN-Software Ivanti Connect Secure (ICS), Ivanti Policy Secure (IPS) und Ivanti S......

In einer koordinierten Aktion von Strafverfolgungsbehörden aus 14 Ländern wurden vergangene Woche vier Anführer der Ransomware-Gruppe 8Base festgenomm......