Ukraine Hack

This section is dedicated to technical questions and answer. IC Realtime employees will post new threads of conversation and answer questions. So if you have a question, please post it here.
voyager57
Posts: 8
Joined: Mon Jul 10, 2017 2:26 pm

Ukraine Hack

Postby voyager57 » Mon Sep 25, 2017 3:01 pm

I have two separate NVR systems and over the weekend, had both get hacked by what I've been able to determine is an IP address from the Ukraine. What happened is all cameras went offline and completely disappeared from the device list. Multiple reboots, etc. did not resolve. At first I thought it was a hardware PoE failure, but when my second system did the exact same thing a day later, I knew something else had to be up. After a harder look there it was...saw my 4 spare camera channels were renamed to "Hacked 5 - 8".

Below are the logs from the NVR. I did a factory reset and got everything back up and running, but am concerned how they got into the NVR in the first place and what steps need to be taken to secure it. I of course had a unique admin password changed from the default that could not have been guessed. The same with other user accounts. I also read in the manual that accounts are supposed to lock out after 5 bad login attempts so there's no way this thing could have been brute force. Is there a known security issue? Is there a newer version of firmware I should be running?

I am running a NVR708NS-P. System version 3.200.KL05.0. Build date 02-23-2016. Web 3.1.0.52249. I do use icddns.com for dynamic DNS for both systems. I only bring that up because that service was out for awhile in July and wonder if this is related because they got into both of my NVRs a day apart that are in two different locations, in two different states, on separate ISPs with very different external IPs. There is zero connection or relation from one to the other so am concerned they somehow found both of my NVRs through icddns.com. That still doesn't explain how they were then able to login and change my config to make both systems inoperable.

The other system is about a year older. I can pull the info from that system as well if needed later this afternoon.

Here are the logs:

No. Time User Name Log Type Note
109 17-09-22 23:32:38 admin User logged in IP Address: 195.211.190.199 User: admin
110 17-09-22 23:32:38 admin Save Save COLOR SETTING Config! IP Address:195.211.190.199
111 17-09-22 23:32:38 admin Save Save COLOR SETTING Config! IP Address:195.211.190.199
112 17-09-22 23:32:38 admin Save Save COLOR SETTING Config! IP Address:195.211.190.199
113 17-09-22 23:32:38 admin Save Save COLOR SETTING Config! IP Address:195.211.190.199
114 17-09-22 23:32:38 admin Save Save COLOR SETTING Config! IP Address:195.211.190.199
115 17-09-22 23:32:38 admin Save Save COLOR SETTING Config! IP Address:195.211.190.199
116 17-09-22 23:32:38 admin Save Save COLOR SETTING Config! IP Address:195.211.190.199
117 17-09-22 23:32:38 admin Save Save COLOR SETTING Config! IP Address:195.211.190.199
118 17-09-22 23:32:38 admin Save Save NETWORK Config! IP Address:195.211.190.199
119 17-09-22 23:32:38 admin Save Save DNS Config! IP Address:195.211.190.199
120 17-09-22 23:32:38 admin Save Save NETWORK Config! IP Address:195.211.190.199
121 17-09-22 23:32:38 admin Save Save IPV6 DNS Config! IP Address:195.211.190.199
122 17-09-22 23:32:38 admin Save Save Wireless Config! IP Address:195.211.190.199
123 17-09-22 23:32:38 admin Save Save DISPLAY Config! IP Address:195.211.190.199 Channel:5 Channel Display :CAM 5-->HACKED 5
124 17-09-22 23:32:38 admin Save Save DISPLAY Config! IP Address:195.211.190.199 Channel:6 Channel Display :CAM 6-->HACKED 6
125 17-09-22 23:32:38 admin Save Save DISPLAY Config! IP Address:195.211.190.199 Channel:7 Channel Display :CAM 7-->HACKED 7
126 17-09-22 23:32:38 admin Save Save DISPLAY Config! IP Address:195.211.190.199 Channel:8 Channel Display :CAM 8-->HACKED 8
127 17-09-22 23:32:38 admin Save Save UPnP Config! IP Address:195.211.190.199
128 17-09-22 23:32:38 default Save Save Monitor Config! IP Address:Login Local Channel:1 Enable :Yes-->No
129 17-09-22 23:32:38 default Save Save Monitor Config! IP Address:Login Local Channel:2 Enable :Yes-->No
130 17-09-22 23:32:38 default Save Save Monitor Config! IP Address:Login Local Channel:3 Enable :Yes-->No
131 17-09-22 23:32:38 default Save Save Monitor Config! IP Address:Login Local Channel:4 Enable :Yes-->No
132 17-09-22 23:32:38 default Save Save Monitor Config! IP Address:Login Local Channel:1 Enable :No-->Yes
133 17-09-22 23:32:38 default Save Save Monitor Config! IP Address:Login Local Channel:2 Enable :No-->Yes
134 17-09-22 23:32:38 default Save Save Monitor Config! IP Address:Login Local Channel:3 Enable :No-->Yes
135 17-09-22 23:32:38 default Save Save Monitor Config! IP Address:Login Local Channel:4 Enable :No-->Yes
136 17-09-22 23:33:33 default Shut down Shutdown Time: 09-22-17 11:32:06PM
137 17-09-22 23:33:33 default Boot up Reboot Symbol: 0x00 Reboot Type: Normal Reboot
138 17-09-22 23:33:33 default HDD No Space Free Space: 0%
139 17-09-22 23:33:33 default HDD INFO Disk totals: Current working disk:

snohlson
Posts: 2
Joined: Mon Jul 17, 2017 9:23 pm

Re: Ukraine Hack

Postby snohlson » Thu Sep 28, 2017 10:06 pm

We had the exact same thing happen with at least 3 700 series NVRs. The logs look almost identical but the login IP was from Singapore. Called tech support and just got told to change ports and passwords. They didn't seem too concerned. Happened on Friday Sept 22

snohlson
Posts: 2
Joined: Mon Jul 17, 2017 9:23 pm

Re: Ukraine Hack

Postby snohlson » Thu Sep 28, 2017 10:10 pm

Same thing happened to us on the same day. looks like it came from Singapore. Affected at least 3 of my clients, all 700 series NVRs.

ICR-JonM
ICR-Tech
ICR-Tech
Posts: 17
Joined: Wed Nov 02, 2016 2:06 pm
Location: Pompano Beach, FL

Re: Ukraine Hack

Postby ICR-JonM » Fri Sep 29, 2017 1:24 pm

Hello voyager57 & snohlson,

We are aware of the issue, and we have published steps to resolve the issue. Please see below for the message sent to all our dealers:

Due to a recent cyber warfare campaign targeted directly at our surveillance industry, certain model IC Realtime storage products setup with Port Forwarding and/or default passwords cloud have been compromised. IC Realtime maintains it's unwavering commitment to our customers, and has been working feverishly at taking action to mitigate and resolve these attacks. We have temporarily doubled the staff in our technical support departments and have put forth efforts at assisting our customers in repairing their affected recorders. We understand this may be disconcerting as a user however we can assure you that we will put forward every effort to secure the safety of your surveillance systems.

While we continue to work with our loyal customers at resolving these outstanding issues we will be experiencing longer than normal wait times. Please refer to the information below to resolve and fully restore your recorder. Otherwise please make sure you leave a callback number while requesting our technical support department. Our toll free number is 866-997-9009. When prompted at the main menu, press 2 for Technical Support and allow 90 seconds to pass. At this point you will then be prompted with an option to leave your call back number. This will save your place in the technical support phone queue. There is no need to remain on hold during this extended time - we will contact all customers in the same order as if you remained on hold the entire time.

You can also schedule a call back via your Dealer Portal. Login at http://www.icrealtime.com and use the scheduling tool to request a time that we call you.

We thank you for your patience in this matter and look forward to helping you.

The link below will take you to our Cyber Security page that discusses best practices for installing our systems:

http://www.icrealtime.com/index.php?pg=cyber
Jon Madden | Technical Support
FL Office: 786-454-9372, Option 2 | AZ Office: 602-910-3432

voyager57
Posts: 8
Joined: Mon Jul 10, 2017 2:26 pm

Re: Ukraine Hack

Postby voyager57 » Fri Sep 29, 2017 6:09 pm

Jon,

Thanks for the info. I rebuilt both systems using the best practices guide. Default passwords were never used originally, but found port 80 open per the way my dealer installed it which I was told by customer service was a mistake. My question is how do end users, which is what I am, get notified of firmware updates and obtain them? I spoke with customer service and they explained a firmware update was available for my NVR, but would not give it to me since I'm not a dealer. Why am I required to go through a dealer each time (and incur additional charges) to receive software updates for products already purchased, especially in cases like this where security issues are concerned? I am more than capable of applying firmware updates and accept responsibility if something goes wrong. As long as the correct file is supplied for my device, everything should be fine. Please let me know how I can go about obtaining new firmware and stay up-to-date on new releases, especially those that close security holes. Thanks.

ICR-JonM
ICR-Tech
ICR-Tech
Posts: 17
Joined: Wed Nov 02, 2016 2:06 pm
Location: Pompano Beach, FL

Re: Ukraine Hack

Postby ICR-JonM » Fri Sep 29, 2017 10:04 pm

Hi voyager57,

We don't typically make firmware available to our non-dealers, but this is certainly a circumstance where we could do so, on a case-by-case basis. You can always send an email request to: tech@icrealtime.com with your NVR serial number, current FW version, and build date (this information can be found in Info > Version in the main menu). With that information, we can let you know the latest firmware and provide you with a link to a Google drive where you can download it. The files are too large to send via email. We strongly recommend you call in to our support line so we can walk you through how to update the firmware. If you are available, please call into the support line this weekend, as some of us will be taking live calls this weekend. Thank you for your patience.\
Jon Madden | Technical Support
FL Office: 786-454-9372, Option 2 | AZ Office: 602-910-3432

voyager57
Posts: 8
Joined: Mon Jul 10, 2017 2:26 pm

Re: Ukraine Hack

Postby voyager57 » Fri Sep 29, 2017 11:40 pm

Thanks Jon. I just submitted the requested info to tech@icrealtime.com. Will await your reply.


Return to “Technical Support Discussions”

Who is online

Users browsing this forum: No registered users and 1 guest