Botnets, the driving force behind distributed denial of service (DDoS) attacks, are composed of thousands to millions of compromised devices. The owner of one such “DDos for hire” service, a substantial botnet made up of the credentials for more than 515,000 servers, has leaked the access credentials for their full collection.
Why would a botnet owner reveal their secrets and most likely destroy their own business? In an interview with ZDNet, the hacker claimed they were changing business models to make use of cloud service providers instead. They may have released the list to poison the well for competitors who are making use of many of the same devices.
Very basic access credentials
A small sample size of the list published by ZDNet indicates that most of these compromised devices became compromised because their security is nonexistent. The list of both usernames and passwords is overwhelmingly filled with common terms like “root,” “admin,” “default” and “12345.” The logins appear to have been current as of October and November 2019.
The list of devices consists of a mix of home servers and routers, but unsurprisingly it is also heavily populated by Internet of Things (IoT) devices. IoT security issues related to weak default (or even nonexistent) logins have been well documented for years now, yet persist to this day. As Clement Lee, Principal Consulting Architect (Asia Pacific) of Check Point Software Technologies, observes:
“At this point in time, IoT device manufacturers have very little incentive to invest significant attention to security. This is especially true when the cost of consumer electronics keeps dropping and manufacturers are struggling to keep their margins to keep themselves competitive. Unfortunately, until there is legislation and/or market demands that would impact manufacturer’s bottom lines, I highly doubt that there will be any progression in IoT security.”
The anonymous owner of the botnet fielded some questions from ZDNet, and revealed that they found all of the devices by simply scanning the internet for devices that had exposed their Telnet port. They then tried a list of common factory default logins and frequently used weak username and password combinations to gain access to the exposed devices. The devices that were poorly protected made it onto the list.
Telnet is a remote access protocol that has served as a backbone of the internet since the 1970s, but is largely outmoded for remote logins due to inability to secure it properly. Telnet traffic cannot be encrypted, and it is difficult to protect the port from “brute force” sequential login attempts of the sort that were used here. However, it is still commonly used in IoT devices due to low cost and ease of implementation for remote access.
Dangers of the Telnet leak
It is difficult to verify if or how many of the listed access credentials are still working, as using them would be illegal. Volunteers are notifying ISPs of the listed IP addresses.
This Telnet credentials list functions as more of a shortcut to exposed targets than the revealing of a major secret, however. Anyone can find poorly-secured devices such as these by following the methods that the hacker used to build the list. While a good deal of the devices on the list may no longer be accessible (due to changing access credentials or changing locations), any device that is not secured properly is likely to wind up as part of someone’s botnet somewhere. The hacker in this story is far from the only one scanning the internet regularly for vulnerable access credentials such as these. Improperly secured IoT devices can be compromised within minutes of being connected to the internet for the first time; if a device uses a known default or very weak login, a realistic expectation is that it will be compromised within about 24-48 hours.
One interesting sidebar to this story is the apparent shift in focus in DDoS booter services from harnessing scads of compromised devices to simply renting a high-end cloud server temporarily. This approach has been reported on for several years now and makes sense from an economic standpoint; so long as the hacker is earning more from the client than they are paying in compute power to execute the attack, it’s a profitable enterprise.
Of course, IoT botnet networks will continue to exist so long as they function and so long as weak security makes it a relatively simple matter to scan the internet and round access credentials up.
Though this list is large in terms of botnet access credentials that are leaked to the public, it is of a modest size as compared to some private lists that are available for sale through the dark web or kept in-house by a similar DDoS service.
Securing against botnets
The first and most critical step in securing home and business servers, routers and IoT devices is to change their default access credentials to something much more secure. Unfortunately, a number of IoT devices are still shipping without the ability to change default usernames and passwords (or sometimes without any password at all). So the process has to start with diligence when shopping to determine that each new device has at least the basics of security in place.
Javvad Malik, Security Awareness Advocate for KnowBe4, expanded on why this seemingly self-evident thing doesn’t always happen:
“While users should practice good security and change default credentials and configurations, the reality is that this is not very intuitive, easy, or sometimes possible on IoT devices. This places the burden of responsibility squarely in the court of manufacturers to ensure products aren’t shipped with default passwords and prompt users to change any default configurations on first use.”
It’s also important to keep in mind that an exposed IoT device is a greater risk than just being added to bot lists. Tal Zamir, Co-Founder and CTO of Hysolate says:
“One of the biggest non-obvious risks behind this leak (and similar previous attacks) is that it gives any internet hacker the ability to connect to your home router and from there gain access to unpatched Windows PCs in home networks that trust that home network and are open to receive incoming requests on that network. With a single hop, the attacker could leverage an open port in a home Windows PC and take over it, gaining full access to your personal and corporate accounts and data. Consumers now need to adopt the same practices of corporate IT shops, including immediate patching of Windows PCs as well as adopting isolation techniques to protect access to important sensitive assets on the home network.”
And Raphael Reich, VP of Marketing for CyCognito, had some pertinent observations for any business seeking to protect their smart devices against attacks of this nature:
“This is a reminder that cloud-based servers, DevOps platforms, and partner networks that connect to an organization but are outside the full control of IT and security teams are often blind spots that provide an open and tempting pathway to attackers. It’s imperative for organizations to map their attack surface, expose those blind spots, or ‘shadow risk,’ and eliminate any critical attack vectors before attackers leverage them.”