SID 1:64410

Rule Category

POLICY-OTHER --

Alert Message

POLICY-OTHER Reolink multiple devices default credentials login attempt

Rule Explanation

This rule looks for login requests to Reolink web servers that attempt to authenticate using the default admin credentials, "admin:123456".

What To Look For

This rule fires on attempts to login to Reolink devices using the default admin credentials.

Known Usage

Attacks/Scans seen in the wild

False Positives

Known false positives, with the described conditions

This rule will fire on any attempts to login to Reolink devices with the credentials "admin:123456".

Contributors

Cisco Talos Intelligence Group

Rule Groups

Rule Categories::Server::Web Applications

Rule Categories::Policy::Other

MITRE::ATT&CK Framework::Enterprise::Privilege Escalation::Valid Accounts::Default Accounts

Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS and the default service account in Kubernetes.

CVE

CVE-2019-11001

Additional Links

github.com/mcw0/PoC/blob/master/Reolink-IPC-RCE.py

Rule Vulnerability

N/A

Not Applicable

CVE Additional Information

This product uses data from the NVD API but is not endorsed or certified by the NVD.

CVE-2019-11001

Loading description