While looking at the latest honeypot data for what is happening with Synology devices, I did notice one particular agressive IP connecting to a number of our honeypot IPs. At first, I figured it may just be a new Shodan scan (got tons of them in the honeypot). But when I connected to port 443 using openssl, I saw a rather interesting SSL certificate being sent:
$ openssl s_client -connect a.b.c.d:443 CONNECTED(00000003) depth=0 C = CN, ST = ZheJiang, L = HangZhou, O = HIKVISION, OU = DVRNVR, CN = www.hikvision.com, emailAddress = firstname.lastname@example.org verify error:num=18:self signed certificate verify return:1 depth=0 C = CN, ST = ZheJiang, L = HangZhou, O = HIKVISION, OU = DVRNVR, CN = www.hikvision.com, emailAddress = email@example.com verify return:1 GET --- Certificate chain 0 s:/C=CN/ST=ZheJiang/L=HangZhou/O=HIKVISION/OU=DVRNVR/CN=www.hikvision.com/emailAddressfirstname.lastname@example.org i:/C=CN/ST=ZheJiang/L=HangZhou/O=HIKVISION/OU=DVRNVR/CN=www.hikvision.com/emailAddressemail@example.com
This certificate appears to be associated with a DVR sold in conjunction with security camera systems . Usually these systems run some form of Linux, so I guess it is to expected that given a weak password, these systems get mistaken for a Linux server and exploited just like one.
Right now, if I am real lucky I may be able to get a hold of the owner of the DVR, but it looks like a Chinese residential IP so not getting my hopes up too high.
 http://www.hikvision.com/en/us/index.aspIntrusion Detection In-Depth - SANS London July 2019
Mar 28th 2014
5 years ago