Video Capture (T1125)

MITREATT&CK
Written By Jeremy Pickett
It’s your reaction to adversity, not adversity itself that determines how your life’s story will develop.
— Dieter F. Uchtdorf

Overview of Video Capture (T1125)

Video Capture (T1125) is a technique where adversaries use video recording to gather sensitive information from a victim's environment, utilizing the device's built-in webcam or connected cameras. This can be used for intelligence gathering, recording user activities, and capturing on-screen sensitive information.

Timeline & Notable Attacks

  • DarkHotel Campaign (2014)

    • Details: Targeted high-profile business travelers via hotel Wi-Fi networks with malware capable of video capture.

    • Attribution: Sophisticated APT group, possibly state-sponsored.

  • APT37 (Reaper) Operations (2017-2020)

    • Details: North Korean group using malware like ROKRAT to activate webcams and capture video.

    • Attribution: North Korean actors.

  • Operation Ghost (2019)

    • Details: Targeted Middle Eastern organizations with custom malware for video capture to spy on executives.

    • Attribution: Likely state-sponsored.

  • Varenyky Malware (2019)

    • Details: Targeted European users, capturing screen and webcam video, sometimes of sensitive interactions.

    • Attribution: Possibly cybercriminal.

Key Groups & Individuals

  • APT37 (Reaper)

    • Notable Members: Unknown; believed to operate under North Korean government.

    • Known Activities: Espionage, surveillance, cyber-attacks, mainly against South Korea and global targets.

  • DarkHotel

    • Notable Members: Not publicly identified; known for sophisticated spear-phishing targeting executives and government officials.

Technical Details of Attacks

  • Techniques Utilized in Video Capture

    • Common Tools: Custom modules, APIs like DirectShow (Windows) and Quartz (macOS).

    • Persistence Mechanisms: Combined with keylogging, RATs, screen capture for comprehensive surveillance.

  • Detection & Mitigation

    • Detection: Monitor for abnormal camera usage, unexpected process access to camera APIs, unusual video file access.

    • Mitigation: Webcam covers, endpoint security solutions to block camera access, maintain strict software and hardware security.

Windows Environments

  1. Disable Camera Access via Group Policy:

    • Open “Group Policy Management Console” by typing gpedit.msc in the Run dialog.

    • Navigate to Computer Configuration > Administrative Templates > Windows Components > Camera.

    • Double-click "Allow Use Of Camera" and select “Disabled”.

  2. Use Windows Privacy Settings:

    • Go to Settings > Privacy > Camera.

    • Toggle off permission under "Allow apps to access your camera".

  3. PowerShell Script to Disable Camera:

    • Open PowerShell as Administrator.

    • Run: Set-Service -Name "usbvideo" -StartupType Disabled

macOS

  1. Restrict Camera via Screen Time:

    • Open System Preferences and go to Screen Time.

    • Navigate to Content & Privacy, click Apps, and toggle off the Camera.

  2. Check for Unexpected Camera Usage:

    • Open Terminal and run: lsof | grep "iSight"

    • Kill suspicious processes using sudo kill -9 [PID].

  3. Use the TCC Database:

    • Open Terminal.

    • Revoke camera access for all apps by running: tccutil reset Camera.

Linux

  1. Disable Camera Module:

    • Open Terminal.

    • Run: sudo modprobe -r uvcvideo

  2. Blacklist Camera Modules:

    • Edit /etc/modprobe.d/blacklist.conf and add:

      blacklist uvcvideo

  3. AppArmor/SELinux Profiles:

    • Ensure that AppArmor or SELinux profiles are configured to limit camera access.

Amazon AWS

  1. Disable EC2 Instance Metadata Service:

    • Ensure Instance Metadata Service is not exploited by attackers.

    • Use IAM roles with the least privilege model.

  2. CloudTrail Monitoring:

    • Enable CloudTrail to log management events and configure alerts for unusual activities.

  3. Security Groups and NACLs:

    • Tighten Security Groups and NACLs to minimize the attack surface and disallow inbound traffic for video streaming.

Google Cloud Platform

  1. VPC Flow Logs:

    • Enable VPC Flow Logs to monitor network traffic patterns that may indicate video streaming.

  2. IAM Policy Best Practices:

    • Implement the least privilege principle and revoke unnecessary access to VM instances.

  3. Stackdriver Monitoring:

    • Use Stackdriver to set up alerts for VM instance anomalies related to video capture activities.

Microsoft Azure

  1. Azure Monitor and Log Analytics:

    • Use Azure Monitor to set up alerts for suspicious activities related to video capture.

    • Create Log Analytics queries to detect unusual processes or network traffic.

  2. NSG and ASG Configurations:

    • Leverage Network Security Groups (NSGs) and Application Security Groups (ASGs) to control traffic.

    • Ensure rules restrict unnecessary access for video capturing.

  3. Azure Security Center Recommendations:

    • Review and implement high-priority fixes to mitigate risks of potential video capture activities.

Jeremy Pickett
Previous

Audio Capture (T1123)
Next

Boot or Logon Initialization Scripts (T1037)