Security Week, August 30, 2017 - Internet of Things (IoT) botnets such as Mirai might not be in the headlines as often as they were several months ago, but the threat posed by insecure IoT devices is as high as before, a recent experiment has revealed.
Mainly targeting IP cameras, DVRs and routers that haven’t been properly secured, such botnets attempt to ensnare devices and use them for malicious purposes such as distributed denial of service (DDoS) attacks. Compromised IoT products are also used to scan the Internet for other vulnerable devices and add them to the botnet.
BASHLITE, Mirai, Hajime, Amnesia, Persirai, and similar botnets target DVR and IP camera systems via telnet or SSH attacks, and use a short list of commonly encountered login credentials, such as root: xc3511, root:vizxv, admin: admin, admin:default, and support:support.
According to recent research, there are nearly 7.5 million potentially vulnerable camera systems and around 4 million potentially vulnerable routers connected worldwide.
Prompted by recent news of a list of leaked login credentials associated with a set of thousands of IPs (mostly routers) being posted online, Johannes B. Ullrich, Ph.D., Dean of Research at SANS Technology Institute, exposed a DVR to the Internet for two days and recorded all attempts to login it.
According to him, the device used the root: xc3511 login pair and recorded a total of 1254 login attempts from different IPs over a period of 45 hours. Basically, someone or something would login to it every 2 minutes using the correct credentials, he says.
After performing a Shodan search, Ullrich retrieved information on 592 of the attacking devices, and reveals they were mainly coming from TP-Link, AvTech, Synology, and D-Link. The distribution of attacks matches that previously associated with Mirai, but the researcher notes that dozens of variants hit the device.
Last year, Ullrich performed a similar experiment and revealed that the DVR was being hit every minute and that multiple login pairs were being tried on each attack. His experiment and the emergency of Mirai brought to the spotlight the issue of weak credentials being used in IoT.
“So in short: 1,700 additional vulnerable systems will not matter. We do see a pretty steady set of 100,000-150,000 sources participating in telnet scans. This problem isn't going away anytime soon,” Ullrich argues.
He also points out that, while malware such as BrickerBot attempted to break the vulnerable devices, the method isn’t effective either, because most of the impacted devices cannot be bricked by overwriting the disk, but only become temporarily unresponsive and recover after a reboot.