The hacker ‘Subby’ took over 29 IoT
The hacker accessed to the control panels that were secured with weak credentials.
“Now this theory has been implemented by a threat actor named Subby, who has brute forced at least 29 IoT C2s, and found them using extremely trivial credentials.” wrote Ankit Anubhav, security researcher at NewSky Security. “As shared by the threat actor, one can see that the credentials used are fairly weak.”
Subby told Anubhav that some of C2 associated with the IoT botnets were using very common credentials, including “root:root”, “admin:admin”, and “oof:oof”.
In an Interview with Anybhav, Subby explained that most of the IoT botnets he hacked were set up by script kiddies following online tutorials.
“It’s obvious as to why this is happening. A large percentage of botnet operators are simply following tutorials which have spread around in the community or are accessible on YouTube to set up their botnet. When following these tutorials, they do not change the default credentials. If they do change the credentials the password they supply is generally weak and therefore vulnerable to brute forcing.” Sabby told Anybhav.
Subby explained that he gained control over a total of more than 40,000 devices in just a week, a disconcerting firepower that could be potentially abused by several threat actors.
“Within the 1st week of brute forcing, I surpassed 40,000 devices. This was quite an inflated number due to possible duplication. It is well documented that botnet operators like to artificially increase their bot count. I estimate the number to be closer to 25,000 unique devices. I was able to get a reliable network traffic graph produced of the traffic generated from all the botnets combined and it was just under 300gbit/s.” continues Subby.
(SecurityAffairs – IoT botnets, hacking)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.