I asked Gemini to create a report about his and here is what Gemini said:
Report: Analysis of Unauthorized User Creation on Dahua NVR and IP Cameras
1. Executive Summary
1.1 Background
This report has been prepared in response to an inquiry regarding a security incident where new, unauthorized administrator accounts were created on Dahua network video recorders (NVRs) and IP cameras. The specific usernames reported—
default,
goguberlin,
viraentertainment,
hackedby,
CamhubfreeTG, and
AlexGogu—are not random but are well-known markers for malicious campaigns and botnets that have actively exploited known vulnerabilities in Dahua products for several years.
1.2 Findings and Conclusion
The analysis confirms that the incident is the result of one or more well-documented vulnerabilities being exploited. This is not an isolated event but is part of a persistent pattern of attacks targeting Internet of Things (IoT) security equipment. The attackers did not use simple brute-force attacks with weak passwords but instead exploited sophisticated technical weaknesses such as authentication bypass and remote code execution to establish a persistent presence on the devices. The primary motivation behind these attacks is to hijack the devices to build botnets, which can then be used to launch larger attacks such as distributed denial-of-service (DDoS) or to steal sensitive information.
1.3 Immediate Action Plan
To remediate the immediate threat, the following four critical steps are recommended :
- Disconnect from the network: Physically disconnect the compromised NVR and IP cameras from the internet.
- Firmware Update: Download the latest firmware version from Dahua's official website and install it manually.
- Change Passwords and Clean up User Accounts: Access the device via the local network, immediately delete all unauthorized user accounts, and change the passwords for all legitimate administrator accounts.
- Deactivate UPnP and Port Forwarding: In the router or firewall settings, disable Universal Plug and Play (UPnP) and remove all port forwarding rules that point to the Dahua devices.
1.4 Recommendations for Long-Term Security
To prevent future attacks and build a robust security architecture, a multi-layered approach is recommended, including network segmentation, strict authentication controls, and continuous monitoring of the system. It is crucial to treat security as an ongoing process, not a one-time job.
2. Introduction and Context
2.1 The Gravity of the Query
The user's situation is a direct and tangible manifestation of the ongoing, global cyberattacks that target IoT devices. The specific usernames mentioned, such as
goguberlin and
CamhubfreeTG, are not random but are the signatures of specific malicious actors or groups. Such markers confirm that the system has been compromised by a known threat actor operating in a commercialized landscape of cybercrime. The user's problem is therefore not an isolated case but a visible symptom of a systemic vulnerability that is widespread throughout the entire IoT ecosystem.
2.2 Report Purpose and Scope
The purpose of this report is to provide a thorough and comprehensive analysis of the security incident. It will go beyond superficial information by tracing the historical and recent vulnerabilities that have been exploited. The report will connect these technical attack vectors directly to the malicious usernames observed, thereby explaining exactly how the compromise occurred. Finally, the report will culminate in a detailed, multi-layered guide for mitigation and prevention, designed to provide a robust, long-term security solution for the system. The primary intent is to provide an authoritative guide that not only solves the immediate problem but also equips the owner with the knowledge necessary to prevent future attacks.
3. Analysis of Vulnerabilities and Attack Vectors
The attacks on Dahua devices that result in the creation of unauthorized user accounts are the result of several serious vulnerabilities that have been uncovered over time. These weaknesses allow attackers to bypass the device's authentication mechanisms and gain full control.
| CVE-ID | Vulnerability Type | CVSS Score (v3.x) | Year | Description |
| CVE-2017-7253 | Authentication Bypass | N/A | 2017 | Allows attackers to download the user database, including password hashes, and "pass the hash" to log in as existing users. |
| CVE-2021-33044 | Authentication Bypass | 9.8 (CRITICAL) | 2021 | Allows attackers to bypass login via malicious data packets. |
| CVE-2021-33045 | Authentication Bypass | 9.8 (CRITICAL) | 2021 | Similar to CVE-2021-33044, a critical weakness that allows attackers to bypass authentication. |
| CVE-2022-30563 | ONVIF Replay Attack | 7.4 (HIGH) | 2022 | Attackers can capture and reuse unencrypted ONVIF credential data to create a new administrator account. |
| CVE-2025-31700 | Remote Code Execution | N/A | 2025 | Buffer overflow vulnerability that allows unauthenticated attackers to gain root access. |
| CVE-2025-31701 | Remote Code Execution | N/A | 2025 | Buffer overflow vulnerability via strncpy that grants complete remote control without authentication. |
3.1 A Historical Perspective: The 2017 "Bashis" Vulnerability
The historical context for these attacks is a vulnerability discovered in 2017 by a security researcher with the pseudonym "Bashis". This weakness, which is classified as a flaw in how Dahua devices handled authentication, made it possible for an attacker to remotely download the entire user database from the device, including usernames and a simple, hashed version of the passwords, without needing administrative privileges.
The most alarming part of this exploit was that the stolen password hashes did not need to be cracked. The attacker could instead send the hash directly back to the device's web server, a technique known as "pass the hash," to gain full access as any existing user. With this method, an attacker could easily log in as an administrator and then create new, malicious user accounts, change passwords, or delete existing users. Although this vulnerability was disclosed and Dahua released firmware updates over seven years ago , many devices continue to be vulnerable. The reason is that a significant number of IoT devices never receive or install firmware updates, which means that attack vectors that have been publicly known for years remain fully exploitable. This highlights that the age of a vulnerability is not an indicator of its threat, especially in an IoT landscape suffering from outdated software and a lack of maintenance.
3.2 Authentication Bypass from 2021
In 2021, two related, critical authentication bypass flaws were discovered and assigned the CVE IDs CVE-2021-33044 and CVE-2021-33045. These vulnerabilities allowed an attacker to completely bypass the device's authentication process by constructing and sending a specially crafted data packet, without needing any credentials whatsoever. The vulnerabilities were considered extremely serious, with a CVSS score of 9.8, which is classified as "CRITICAL". The severity was further underscored when they were included in CISA's "Known Exploited Vulnerabilities Catalog," which lists weaknesses that are actively being exploited by malicious actors in real-time. These vulnerabilities represent a more direct attack vector than the 2017 flaw, as they do not even require password hashes but grant the attacker immediate access to the system.
3.3 The ONVIF Replay Attack from 2022
Another method for gaining unauthorized access was uncovered in 2022, with CVE-2022-30563. This vulnerability exploits a flaw in Dahua's implementation of the Open Network Video Interface Forum (ONVIF) standard, which allows different surveillance products to communicate with each other. The attack leverages a weakness in the
WS-UsernameToken authentication mechanism. By sniffing a previous unencrypted ONVIF interaction, an attacker can reuse (replay) the credential data in a new request to the camera. This forged request can then be used to trick the device into creating a new, malicious administrator account, even if the request came from a different IP address and a long time after the original transaction. The weakness underscores the serious risk associated with using unencrypted HTTP for ONVIF communication, a practice that is unfortunately common in many IoT devices.
3.4 Remote Code Execution (RCE) via Buffer Overflows
The most serious and recent threats are vulnerabilities that enable Remote Code Execution (RCE), as found by security researchers from Bitdefender. These flaws, including CVE-2025-31700 and CVE-2025-31701, stem from buffer overflows in the device's ONVIF protocol and RPC upload handlers. By sending a specially crafted data packet to a device that is exposed to the internet, an unauthenticated attacker can gain root access and run arbitrary code on the device without any form of authentication.
Root access is the highest level of privilege and grants the attacker complete control over the device. With this access, an attacker can not only add new users but also install malicious
daemons or other persistent payloads that are extremely difficult to remove. The attacks are particularly dangerous for devices exposed to the internet via port forwarding or UPnP, as they can be exploited without user interaction.
4. The Connection to Malicious User Accounts
4.1 The Motive: Botnets and Data Harvesting
The creation of unauthorized administrator accounts is not a random or unstructured attack. It is a deliberate step in a larger attack chain. The newly created accounts serve as persistent backdoors that ensure the attacker can maintain access to the device over time. The main motive behind this type of compromise is often to enroll the device in a botnet—a network of hijacked devices used to launch large, coordinated attacks. One of the most famous examples is the Mirai botnet from 2016, which exploited a large number of vulnerable IP cameras and DVRs to perform massive DDoS attacks. Such attacks can have disruptive and costly consequences for the victims.
4.2 Decoding the Usernames
The usernames that were reported—
default,
goguberlin,
viraentertainment,
hackedby,
CamhubfreeTG, and
AlexGogu—are signatures from various attack campaigns.
default: This username could either be an attempt to exploit standard login information (like admin:admin) , or, more likely, it is a malicious account that the attacker has created with this name to blend in with legitimate system accounts and avoid detection. goguberlin, AlexGogu: These names are strongly associated with specific malicious campaigns that have circulated globally and targeted vulnerable IoT devices. An analysis of a Reddit thread confirms that these names were part of a "global hack" and were linked to a vulnerability in the P2P functionality that allowed attackers to create new administrative users. viraentertainment, hackedby, CamhubfreeTG: These are typical monikers or markers that malicious groups use to "brand" their compromises. The names often signal the attacker's identity, motivation, or affiliation with a specific type of botnet. For example, CamhubfreeTG suggests that the botnet may have a connection to a platform for pornographic content. The attackers use these names to confirm that the attack has been successful and to build a reputation within the malicious online community.
4.3 The Attack Chain
The observed incident follows a predictable and automated attack chain:
- Reconnaissance: Automated scanners, operated by botnet operators, relentlessly search the internet for Dahua devices that are exposed on common ports.
- Exploitation: Once a vulnerable device is identified, the scanner automatically exploits one of the known weaknesses (for example, CVE-2021-33044/5, CVE-2022-30563, or a recent RCE vulnerability) to gain unauthorized access.
- Persistence: After gaining administrative privileges, the attacker establishes a new administrator account with one of the previously mentioned names to ensure they can maintain access to the device, even if the original vulnerability were to be patched.
- Monetization/Weaponization: The compromised device is then either used for data theft, or, more commonly, it is enrolled in a botnet and used as part of a larger attack infrastructure.
The attack is not just a technical problem but a direct consequence of a commercialized business model within cybercrime. The vulnerabilities (how the attack was performed) and the malicious usernames (what was done) are the direct evidence of a successful attempt to exploit the device and enroll it in a global, automated attack chain. The incident is thus a symptom of an automated process of discovery, exploitation, and weaponization.
5. The Broader IoT Threat Landscape
5.1 A Global, Systemic Crisis
The vulnerabilities found in Dahua products are not a unique situation. Analyses show that similar, serious weaknesses have also been uncovered in equipment from Dahua's largest competitor, Hikvision. This indicates that the problems are systemic to the entire IoT and surveillance industry. Statistics confirm this scope: over 70% of IoT devices have security flaws, and almost all IoT traffic remains unencrypted, which simplifies attacks. Attacks against IoT devices are on a sharp increase, and automated scanning to find vulnerable devices is a persistent and widespread phenomenon.
5.2 The Root Causes of the Vulnerabilities
The underlying causes of these vulnerabilities are a complex combination of economic, technical, and social factors:
- Economic Drivers: Manufacturers often prioritize low production costs and rapid market introduction over robust security. This results in devices that use outdated, common firmware with known weaknesses and lack fundamental security features.
- User Negligence: Many end-users lack awareness of security practices, such as changing default passwords, and leave devices directly exposed to the internet via features like UPnP.
- Technical Debt: Many older devices were not originally designed to be constantly connected to the internet. Their architecture, optimized for stability and uptime, is not capable of handling modern security challenges, which creates a massive "attack surface".
5.3 Geopolitical Context
The security flaws in Dahua and Hikvision have also received attention at a national security level. The concerns have led to countries implementing bans on the use of these products in critical infrastructure, driven by fears of state-sponsored backdoors and surveillance. The user's personal incident is a microcosm of a larger global challenge that encompasses corporate responsibility, consumer awareness, and international security policy. The attacks represent the visible part of a global threat that can exploit any weak point in the IoT chain.
6. Mitigation and Prevention: A Multi-Layered Approach
To effectively combat and prevent this type of attack, it is necessary to implement a multi-layered security strategy that goes beyond a simple firmware update.
6.1 Immediate Action Plan
The immediate steps are crucial to removing the attacker's access and stopping further compromise.
- 1. Disconnect and Isolate: Physically disconnecting the NVR/camera from the network is the first and most critical step to cutting off all external access. If physical disconnection is not possible, port forwarding and UPnP on the router must be disabled immediately.
- 2. Clean up User Accounts: After the device is isolated, access it via the local network and delete all unauthorized user accounts. Also, check the system logs to identify unusual activity or logins from unknown IP addresses.
- 3. Firmware Update: Download the latest, official firmware version for the specific Dahua models from the manufacturer's website. Before uploading the new firmware, it is critical to perform a full factory reset. This is necessary because more advanced RCE attacks may have left behind persistent, malicious
daemons that a standard update will not remove.
- 4. Change Passwords: Change the passwords for all legitimate user accounts immediately after the firmware update and factory reset are completed. All passwords must be strong, unique, and follow a complex policy that includes a combination of at least 8 characters with uppercase letters, lowercase letters, numbers, and special characters.
6.2 Long-Term Security Recommendations
To build a more resilient defense, it is necessary to implement the following long-term measures.
- Network Hardening:
- Network Segmentation: The most effective long-term solution is to place all IoT devices, including NVRs and cameras, on a separate and isolated network (VLAN) from the main network for computers and other devices. This prevents attackers from moving laterally in your network, even if one of the cameras were to be compromised.
- Deactivate UPnP and Port Forwarding: Always disable UPnP on the router, as this function can automatically open critical ports to the internet. Instead of forwarding ports, a VPN (Virtual Private Network) should be used for secure remote access. If port forwarding is absolutely necessary, forward only the specific ports needed and avoid forwarding a large range of ports or using the device's default ports.
- Firewall and IP Filtering: Configure the firewall to allow access to the cameras only from specific, predefined IP addresses.
- Authentication and Access Control:
- Strong Credentials: It is crucial to change all default passwords and establish a strict password practice.
- Privileged Access Management (PAM): Limit the use of high-privilege administrator accounts to an absolute minimum and monitor all activity associated with these accounts for unusual patterns.
- Device Configuration and Security:
- Encryption: Enable HTTPS/SSL on the devices to encrypt all communication. This is a critical step to prevent information leakage and interception of authentication data.
- Change Default Ports: Change the default HTTP and TCP ports (which are often
80 and 37777) to arbitrary, unusual ports. This hides the devices from simple, automated port scans.
- Physical Security: Physically secure the NVR and cameras by installing them in locked server racks or rooms to prevent unauthorized physical tampering.
- Monitoring and Continuous Improvement:
- Check the Logs: Regularly reviewing the system's logs is crucial for detecting early signs of unauthorized access. The logs will show the IP addresses that have attempted to log in, as well as what activity has been performed.
- Regular Assessments: Perform periodic security assessments and stay updated on new vulnerabilities that are uncovered.
The following table summarizes the recommendations in a checklist that can be used as a practical tool to secure the system.
| Action | Description | Status ( ) |
| IMMEDIATE ACTIONS | | |
| Disconnect from the network | Unplug the internet cable or disable the wireless connection to the devices. | ☐ |
| Delete unauthorized accounts | Log in locally and delete accounts like goguberlin, viraentertainment, hackedby, CamhubfreeTG, AlexGogu, and default. | ☐ |
| Firmware update | Download and install the latest firmware from Dahua's official website. | ☐ |
| Factory reset | Perform a complete reset of the devices to remove any persistent, malicious code. | ☐ |
| Change all passwords | Change passwords for all legitimate users to strong, complex, and unique passwords. | ☐ |
| Deactivate UPnP | Deactivate the UPnP function on the router. | ☐ |
| LONG-TERM RECOMMENDATIONS | | |
| Network segmentation | Place the NVR and cameras on an isolated network (VLAN). | ☐ |
| Enable HTTPS/SSL | Encrypt all network communication to the device. | ☐ |
| Change default ports | Change the pre-configured HTTP and TCP ports. | ☐ |
| Configure IP filtering | Use a firewall to restrict access to only specific IP addresses. | ☐ |
| Physical security | Install the devices in a locked cabinet or room. | ☐ |
| Regular monitoring | Check the system logs regularly for suspicious activity. | ☐ |
Eksporter til Regneark
7. Conclusion and Final Recommendations
7.1 Key Findings Reiterated
The in-depth analysis of the incident confirms that the user's experience is part of a global, automated cyberattack that exploits well-known and serious vulnerabilities in Dahua and other IoT devices. The attack methods are sophisticated, and the goal is to establish a persistent presence to enroll the devices in botnets. This incident is a direct reminder of the systemic security challenges that exist in the IoT ecosystem, driven by economic priorities and a lack of security awareness.
7.2 Security as a Continuous Process
Security is not a one-time task that is completed after a single firmware update. The threat landscape is constantly evolving, and attackers are continuously finding new ways to compromise systems. The most effective protection is therefore a continuous process of monitoring, updating, and hardening the system. 1 A proactive approach, as described in this report, is crucial to maintaining a secure surveillance system.
Network Video Recorder - Quick Start Guide
dahuasecurity.com/asset/upload/product/20180525/Network-Video-Recorder-Series-Quick-Start-Guide-Version-1_0_1-201805.pdf
The Top 8 IT/OT/IoT Security Challenges and How to Solve Them | Balbix
balbix.com/insights/addressing-iot-security-challenges
7.3 The Final Line of Defense
Ultimately, the most critical line of defense lies with the owner of the system. The combination of up-to-date software, a robust network configuration, and conscious security hygiene is what constitutes the strongest defense against these persistent and automated threats. By following the recommendations in this report, one can significantly reduce the attack surface and prevent the system from becoming an easy target for malicious actors.
