A botnet, like the one formed by these devices, is a network of hacked devices that is under the control of a hacker or malicious group, who can obtain information from these devices and even control them remotely.
The non-profit organization Shadowserver Foundation, dedicated to searching for security flaws and malicious software, has detected a botnet with an international presence made up of GeoVision devices that have become obsolete. GeoVision is a security products company such as video cameras, access controls, monitoring systems, access controls or cloud security. Although the United States and Germany are the two most potentially affected countries, the map that has been shared by this association shows that in Spain there are more than 300 vulnerable GeoVision devices.
Devices that become obsolete are a prime target for hackers, who take advantage of the time difference between when they become obsolete and when they are replaced by new units to infect them with malware. And when they become obsolete, the company stops providing security patches and they are left more unprotected against new threats.
It is in this context that it is believed that thousands of devices have been hacked around the world. According to the map, the United States has almost 10,000 vulnerable GeoVision devices that hackers could try to infect; Canada about 784, and Germany 1,652. After Germany, the European countries with the most vulnerable GeoVision devices in active use are Belgium (469 units) and Spain (310 units).
Thus, hackers have used the zero-day vulnerability CVE-2024-11120, which allows them to gain remote access to devices.
According to cybersecurity researchers at Shadowserver, the botnet is already being used to issue denial of service (DDoS) attacks and to mine cryptocurrencies.
“Unauthenticated remote attackers can exploit this vulnerability to inject and execute arbitrary system commands on the device. Furthermore, this vulnerability has already been exploited by attackers and we have received related reports,” they explain from the cybersecurity organization TWCERT/CC.
Types of devices affected
The infected devices that have become part of the botnet are IP cameras, video servers or compact DVRs, among others. The list is the following:
- DSP LPR (license plate recognition device): GV_DSP_LPR_V2, GV-DSP_LPR_V3
- IP cameras: GV_IPCAMD_GV_BX1500, GV_IPCAMD_GV_CB220, GV_IPCAMD_GV_EBL1100, GV_IPCAMD_GV_EFD1100, GV_IPCAMD_GV_FD2410, GV_IPCAMD_GV_FD3400, GV_IPCAMD_GV_FE3401, GV_IPCAMD_GV_FE420
- Video servers: GV-VS14_VS14, GV_VS03, GV_VS2410, GV_VS28XX, GV_VS216XX, GV VS04A, GV VS04H
- DVR (Digital Video Recorder): GVLX 4 V2, GVLX 4 V3
Although not all infected devices are cameras, other devices act as managers of these video cameras, so they could have access to the images collected by them.
GeoVision will not provide security patches since these devices are obsolete, so the only possible solution to protect them is to replace them with new models.