In the last weeks, security experts observed two of the powerful DDoS attacks of ever that hit the hosting provider OVH and the websites of the popular security expert Brian Krebs.
Malware researchers believe that the attacks were launched by at least a couple of botnets, one of them is the dreaded Mirai botnet.
The Mirai ELF trojan was first spotted by experts from MalwareMustDie in August, the threat was targeting IoT devices in the wild.
Last week, the author of Mirai botnet released the source code of the malware that includes a list of 60 couples of usernames and passwords used by the malware to compromise the IoT devices.
The list of login credentials includes the default username/password combination root/xc3511 that according to the experts at Flashpoint allowed the hack in the majority of devices composing the Mirai botnet.
The botnet was mainly composed of video surveillance devices manufactured by Dahua Technology.
“While investigating the recent large-scale distributed denial-of-service (DDoS) attacks, Flashpoint identified the primary manufacturer of the devices that utilize the default username and password combination known as root and xc3511.” reads a report published by Flashpoint.
“These types of credentials exist all across the Internet and are commonly used via Telnet to access numerous types of DVRs. In fact, countless DVR manufacturers buy parts preloaded with Linux and rudimentary management software from a company called XiongMai Technologies, located in Hangzhou, China.”
Many device manufacturers use components of the Chinese company XiongMai Technologies. According to the experts, there are at least half a million devices worldwide using these vulnerable components that could be accessed with default credentials.
“Default credentials pose little threat when a device is not accessible from the Internet. However, when combined with other defaults, such as web interfaces or remote login services like Telnet or SSH, default credentials may pose a great risk to a device.” continues the report. “In this case, default credentials can be used to “Telnet” to vulnerable devices, turning them into “bots” in a botnet.”
The major risk related the firmware provided by the Chinese manufacturer is related to the combination of default hardcoded credentials and the availability of a Telnet service that is active by default and which allows remote access to the devices.
“The Dahua devices were identified early because of their distinctive interface and recent use in other botnets. Utilizing the “botnets. Utilizing the “Low Impact Identification Tool” or LIFT, Flashpoint was able to identify a large number of these devices in the attack data provided.” states the report.
“The issue with these particular devices is that a user cannot feasibly change this password. The password is hardcoded into the firmware, and the tools necessary to disable it are not present. Even worse, the web interface is not aware that these credentials even exist. Further exacerbating the issue, the Telnet service is also hardcoded into /etc/init.d/rcS (the primary service startup script), which is not easy to edit. The combination of the default service and hard-coded credentials has led to the assignment of has led to the assignment of CVE-2016-1000245 by the Distributed Weakness Filing Project.”
Flashpoint scanned the internet with the Shodan search engine for flawed IoT devices.
FlashPoint spotted more than 500,000 vulnerable devices in the wild, the countries with the highest number of vulnerable devices are Vietnam (80,000), Brazil (62,000) and Turkey (40,000).
Large-scale DDoS attacks continue to represent a serious threat for web services across the world, and IoT devices represent a privileged attack vector due to the lack of security by design. IoT manufacturers are encouraged to seriously consider the approach at the security of their products.