A hacker published the credentials of over 515,000 servers, routers, and IoT devices on a well-known hacking website. ZDNet reported that the list consists of IP addresses and the usernames and passwords used by each for unlocking Telnet services, the port that allows these devices to be controlled through the internet.
The hacker composed the list by scanning the internet for exposed Telnet ports and by testing default and weak or common passwords. Since items on the list were dated from October to November 2019, some of the credentials might no longer work or had been changed over the succeeding months.
Using IoT search engines, ZDNet was able to verify that the devices were from all over the globe. Most of the devices were found on known internet service providers, confirming that these devices are either home routers or IoT devices. However, some of the IP addresses were on the networks of major cloud service providers.
This list was published online by a distributed denial of service (DDoS)-for-hire service operator. They had published the list as part of an upgrade to their DDoS service, which now includes renting out high-output servers from cloud service providers.
The nature of IoT botnet malware
It is common for IoT botnet campaigns to use such lists to access devices and infect them with malware. With a massive list of credentials such as this one, a cybercriminal could create a powerful botnet. These botnets consequently are used by cybercriminals to conduct DDoS attacks or mine cryptocurrency.
Although these lists are typically kept private, they could be used and reused for new campaigns once leaked online. This is typical behavior among IoT botnet malware authors.
Aside from credentials, cybercriminals also have been seen taking advantage of the same set of exploits used by previous campaigns in designing new ones, banking on the assumption that there are still IoT devices that remain unpatched.
In the future, such lists will continue to fuel IoT-related attacks as long as devices are protected by weak security. Trend Micro’s predictions for 2020 also foresee the continued presence of IoT botnets peddled in the cybercriminal underground. These realities highlight the importance of securing their devices. Users can begin with these best practices:
Patch devices as soon as possible. Users should apply patches and updates as soon as they become available, to avoid potential openings from exploits.
Use strong passwords. Strong passwords can prevent attacks that use a list of known or default passwords.
Disable unneeded services. Disabling unneeded services in IoT devices can minimize openings for potential attacks.