DDoS Protection , Endpoint Security , Fraud Management & Cybercrime
Botnets Keep Brute-Forcing Internet of Things Devices
Shotgun Attacks Target Default Username/Password Combinations via TelnetTwo years after Mirai botnets first appeared, new generations of botnets are continuing to probe for internet-connected devices that they can easily compromise, often via a vastly expanded list of default usernames and passwords.
See Also: 2024 Threat Hunting Report: Insights to Outsmart Modern Adversaries
Mirai targeted 64 default or hardcoded credentials built into internet of things devices (see: Mirai Malware Hacker Pleads Guilty in German Court).
Using a telnet honeypot designed to study how botnets are attempting to compromise IoT devices, Arbor Networks in September found that botnets are continuing to target the 64 username and password combinations seen in the Mirai source code, as well as at least 1,005 new ones.
Getting this list proved to be easy, says Matthew Bing, a member of Netscout Arbor's security engineering and response team. "IoT bots employ the shotgun approach to propagation - pick a target at random and keep trying until the list is exhausted, or the attack is successful," Bing says in a blog post.
Attackers Build a Bigger List
Attackers have been creating customized lists of default or common credentials to target since the Mirai source code became public in September 2016 (see: Free Source Code Hacks IoT Devices to Build DDoS Army).
"Several [Mirai] variants evolved to use exploits that targeted vulnerabilities, but a mundane factory-installed username and password is still incredibly effective," Bing says. But many attackers likely found themselves competing for the same subset of IoT devices, and so they naturally began customizing their list of targeted credentials. "By using their own custom list of usernames and passwords, they could achieve evolutionary success by infecting devices that others could not," he says.
Even so, the top five most-seen username/password combinations being shotgunned out by IoT botnets last month had already been targeted by Mirai:
- admin/admin
- guest/12345
- root/vizxv
- root/xc3511
- support/support
"These password combos came with the original Mirai source code, including two - vizxv and xc3511 - that target the DVRs [digital video recorders] that propelled the original Mirai bot to prominence," Bing says.
The next 20 most commonly targeted username/password combinations, however, never featured in Mirai. Arbor says those are:
- default/default
- root/1001chin
- root/
- telnetadmin/telnetadmin
- root/ttnet
- root/taZz@23495859
- root/aquario
- e8telnet/e8telnet
- admin/
- telnet/telnet
- e8ehome/e8ehome
- root/cat1029
- root/5up
- root/ivdev
- admin/aquario
- root/zsun1188
- default/antslq
- root/founder88
- admin/ipcam_rt5350
- default/
Bing says the list includes basic passwords that might be present in many different types of devices, such as default/default, as well as passwords for specific types of devices, such as telnetadmin/telnetadmin, which are default credentials for some types of Huawei devices.
Arbor says the biggest source of the IoT-targeting botnet attacks it saw in September was Russia, followed by China, Brazil, the U.S. and South Korea. Bing says it's likely that those botnets have been built from the same devices being targeted.
Infected Devices Attack
"When an automated bot like Mirai attempts an unsolicited brute-force attack, chances are the device rattling the doorknob is susceptible to the exact same attack. In fact, it's possible the device attempting the brute-force is already a part of the botnet via the same attack, perhaps even the same username and password combination," Bing says.
Some compromised devices appear to be more prominent or popular in certain countries. For example, one of the most common username/password combinations in Russia - although ranked 91st most common overall - targets a travel router called the TM02 TripMate. Another top 10 targeted credential in Russia - but ranked 105st overall - was for a webcam called Vstarcam.
In Nigeria, meanwhile, telecomadmin/admintelecom were the most seen attempted attack combination, while ranking 9th overall.
Chalubo Botnet Borrows From Mirai
If attackers are able to successfully compromise an IoT device, they typically install malicious software that turns the device into a node - or bot - in their botnet. As Bing notes, infected devices will often attempt to infect other devices using the same techniques.
Like Mirai, however, many IoT attacks are also designed to turn internet-connected devices into distributed denial-of-service attack nodes. For example, security firm Sophos reports that since August, it's seen an attack that's designed to gain brute-force access to SSH servers - including on IoT devices - that it's dubbed Chalubo. It often aims to install a variant of Linux-based DDoS malware called XOR. Sophos says successful attacks involve three parts, starting with a downloader being installed, which then installs the main bot and then uses Lua command script.
"Like some of its predecessors, Chalubo incorporates code from the Xor.DDoS and Mirai malware families," Timothy Easton, a threat researcher at Sophos, says in a blog post.
Threat researcher Bart Blaze has described XOR - aka Linux/Xor.DDoS, DDoS.XOR, Xorddos - as being "a Linux Trojan with rootkit capabilities" that is akin to a Windows portable executable file. As its name suggests, the malware has been designed to launch DDoS against an attacker-controlled list of websites (see: Apache Struts 2 Under Zero-Day Attack, Update Now).
Derived From XOR Malware
XOR first appeared in 2014, as documented by the researchers behind the Malware Must Die project, who dubbed it XOR.DDoS and said it appeared to have been developed in China.
"Xor.DDoS is a multi-platform, polymorphic malware for Linux OS, and its ultimate goal is to DDoS other machines," Blaze said in a technical teardown of the malware published in 2015. "The name Xor.DDoS stems from the heavy usage of XOR encryption in both malware and network communication to the C&Cs," aka command-and-control servers. Those servers issue instructions to infected systems, which serve as the bots in the botnet.
Chalubo's XOR-derived DDoS attack capabilities come in "DNS, UDP and SYN flavors," Easton at Sophos says. "Since the primary method of this bot infecting systems is through the use of common username and password combinations against SSH servers, we recommend that sysadmins of SSH servers - including embedded devices - change any default passwords on those devices, because the brute force [campaign] attempts to cycle through common, publicly known default passwords.
"If possible, it's preferable to use SSH keys instead of passwords for logins. As with any machine, make sure to keep the system updated."