we just came across some Hikvision DVRs that were infected with malware. The malware did scan outbound for vulnerable Synology disk stations (port 5000 tcp) and ran a bitcoin miner. Other DVRs may be affected as well. So far, it looks like the infection happened with telnet using default credentials .
To check if your DVR is affected:
- telnet to the DVR
- login as root (password should be the same as your "admin" password)
- check the /dev/ directory for odd files. The only entries in this directory should be devices, you shouldn't have any actual files.
For more details, see:
https://isc.sans.edu/forums/diary/More+Device+Malware+This+is+why+your+DVR+attacked+my+Synology+Disk+Station+and+now+with+Bitcoin+Miner+/17879
If you find anything on your DVR, please let us know as we are still investigating this issue. (https://isc.sans.edu/contact.html )
Thanks.
