At least three botnet operators have secretly exploited three zero-day vulnerabilities in LILIN digital video recorders (DVRs) for more than six months before the vendor finally patched the bugs last month, in February 2020.

Digital video recorders are devices installed on company networks that aggregate video feeds from local CCTV or IP camera systems and record it on various types of storage systems, like HDDs, SSDs, USB flash drives, or SD memory cards.

Today, DVRs are just as ubiquitous in today's IoT landscape as the security cameras they serve.

Ever since the early 2010s, as CCTV solutions started to become popular all over the world, malware botnets have also begun targeting DVR systems.

DVR devices running with factory-default credentials or with old and outdated firmware have been hacked and have had their resources and bandwidth abused to launch DDoS attacks. Various DVR brands have been the cannon fodder of hundreds of different IoT botnets.

LILIN zero-days exploited since August 2019

Last year in August, it was LILIN's turn to have its devices exploited by hackers.

In a blog post published yesterday, the Netlab team at Chinese security firm Qihoo 360 said it detected three botnets utilizing zero-days in LILIN DVRs.

A vulnerability in the NTPUpdate process lets attackers inject and run system commands Through the use of one of two hardcoded credentials (root/icatch99 and report/8Jg0SR8K50) an attacker can retrieve and modify a DVR's config file, and then execute commands on the device when the FTP (File Transfer Protocol) server configuration is periodically synchronized. Similar to above, but via the NTP (Network Time Protocol) service.

Netlab says the first botnet to exploit one of the zero-days was the Chalubo botnet, which began abusing the NTPUpdate vulnerability to take over LILIN DVRs starting late August last year.

The second and third zero-days came under active exploitation in January this year. Netlab said it saw the FBot botnet abusing the second and third zero-days to bolster its bot army.

Two weeks after FBot, the Moobot botnet operator also began abusing the second zero-day, although not the third.

Netlab didn't say what the botnet operators were doing with the hijacked LILIN DVRs, but most of these botnets have a history of launching DDoS attacks and a history of acting as proxy networks and re-routing traffic for bad actors.

Netlab researchers said they reached out to LILIN twice, first after the FBot attacks, and then after Moobot. Although it took almost a month, LILIN did eventually release a firmware update, along with mitigation advice.

It will most likely take months -- if not years -- for the patch to make it to some devices. If there's an Achilles' heel to today's IoT landscape then it's the fact that there's no easy one-button-push to update firmware on most devices. Once shipped to customers, the vast majority of these systems remain unpatched until decommissioned.

At the time of writing, more than 5,000 LILIN DVRs are connected to the internet.