Get in Touch
Threat actors target critical TBK digital video recording system vulnerability
TBK Vision products are deployed in the following industry sectors:
Threat actors are actively exploiting an unpatched bypass vulnerability in TBK digital video recording (DVR) systems, tracked as CVE-2018-9995 (CVSSv3 Score: 9.8 – Critical). As per recent reporting, there have been more than 50,000 attempts to exploit vulnerable TBK DVR systems.
A Proof-of-Concept (PoC) exploit code has been released to target a vulnerability in the affected servers. The exploit uses a maliciously crafted HTTP cookie, with vulnerable systems responding with administrator credentials in the form of JSON data.
Successful exploitation of CVE-2018-9995 allows threat actors to bypass authentication on the target system and obtain administrative privileges, ultimately leading access camera video feeds.
– TBK DVR4104 and TBK DVR4216 systems
Containment, Mitigations & Remediations
At the time of writing, a security update has not been released for this vulnerability. It is therefore strongly recommended that users replace vulnerable systems with supported models or isolate them from the internet to prevent unauthorised access.
Indicators of Compromise
No specific Indicators of Compromise (IoCs) are currently available.
Due to the fact that DVR systems are typically located on internal networks, this makes them an attractive target to threat actors who can exploit them for the purposes of initial access and data theft. Reporting has indicated that there has been a recent increase in attempted exploits of TBK DVR devices.
TBK has a significant portion of the surveillance camera market share. Threat actors generally utilise a combination of probability and asset value to determine which attack surfaces to focus on. As a result, the TBK products have become a prime target. Due to the fact that these camera models have become an integral aspect of business operations, threat actors will continue to exploit vulnerabilities contained within these devices for the purposes of data extraction.
No attribution to specific threat actors or groups has been identified at the time of writing.
– TA0004 – Privilege Escalation
– Proof-of-Concept Exploit Code