Cybercriminals are attacking surveillance cameras from multiple manufacturers, using two zero-day vulnerabilities to take over the endpoints, view and manipulate the feeds, and more.
Cybersecurity researchers GreyNoise claim to have spotted the attacks after their AI-powered analytics tool Sift raised the alarm that scammers are attacking network device interface-enabled (NDI) pan-tilt-zoom (PTZ) cameras from multiple manufacturers.
The cameras can be found in a variety of environments, including industrial and manufacturing plants, where they are used for machine monitoring and quality control. They can also be found in corporate conferences, used for high-definition video streaming and remote presentations, in healthcare (used for telehealth consultations and surgical livestreams), state and local government settings, including courtrooms and houses of worship, where they are again used for livestreaming.
Waiting for band-aids
GreyNoise says the affected devices are typically expensive, with some models costing several thousand dollars.
Affected devices use VHD PTZ camera firmware
The affected vulnerabilities are now tracked as CVE-2024-8956 and CVE-2024-8957. The first is considered critical (9.1), the second high (7.2). If exploited, the vulnerabilities can be used to completely take over the cameras, view and manipulate video feeds, disable various camera operations, and assimilate the devices into a botnet.
While patches have already been released for some models, others remain vulnerable. According to BleepingComputerPTZOptics released a security update on September 17, but as several models reached end-of-life status (PT20X-NDI-G2 and PT12X-NDI-G2), not all models were patched. Furthermore, PT20X-SE-NDI-G3 and PT30X-SE-NDI-G3 are still waiting for a solution.
There is a good chance that the list of affected models is much longer than what researchers have currently identified. Users are advised to check with their manufacturer to see if they have released a fix for the above errors.