Botnet Hunts for IoT Devices

Monday, October 10, 2016 @ 06:10 PM gHale

Over half a million Internet of Things (IoT) devices could end up captured and leveraged by botnets, researchers said.

This all came about when Mirai and at least one other botnet released huge distributed denial-of-service (DDoS) attacks against the website of journalist Brian Krebs and hosting provider OVH. The attack on OVH was said to have exceeded 1Tbps.

Switch in Malware Distribution
3 Botnets Unite in Huge DDoS Attack
Botnet Targets Linux Platforms
Botnet Branches Out into Ransomware

It appeared these attacks ended up powered by compromised IoT devices protected by weak or default credentials.

The author of Mirai releases the source code of the malware, claiming he had made enough money. The source code includes a list of 60 username and password combinations the Mirai botnet has been using to hack IoT devices.

Devices associated with this username and password combination actually make up a significant portion of the Mirai botnet, said researchers from Flashpoint.

Experts reported video surveillance products from Dahua Technology accounted for the highest percentage of compromised devices. However, Flashpoint traced other hacked devices, which may not appear related, but really are. They devices all went back to one vendor.

Many DVR, NVR and IP camera manufacturers get their hardware and software components from a China-based company called XiongMai Technologies. XiongMai shipped vulnerable software that ended up in at least half a million devices worldwide.

The fact you can gain access to these devices with default credentials should not pose a major risk as long as they are not accessible from the Internet. The problem is the firmware provided by the Chinese manufacturer also includes a telnet service active by default and which allows easy remote access to the devices.

On top of that, the default credentials cannot end up changed as they are hardcoded in the firmware and there are no options for disabling them. The telnet service is also difficult to disable.

A scan Flashpoint conducted using Shodan found over 500,000 devices with the vulnerabilities, making them an easy target for Mirai and other botnets.