Hacker Publishes Credentials for Over 515,000 Servers, Routers, and IoT Devices


A hacker published the credentials of over 515,000 servers, routers, and IoT devices on a well-known hacking website. ZDNet reported that the list consists of IP addresses and the usernames and passwords used by each for unlocking Telnet services, the port that allows these devices to be controlled through the internet.

The hacker composed the list by scanning the internet for exposed Telnet ports and by testing default and weak or common passwords. Since items on the list were dated from October to November 2019, some of the credentials might no longer work or had been changed over the succeeding months.

Using IoT search engines, ZDNet was able to verify that the devices were from all over the globe. Most of the devices were found on known internet service providers, confirming that these devices are either home routers or IoT devices. However, some of the IP addresses were on the networks of major cloud service providers.

This list was published online by a distributed denial of service (DDoS)-for-hire service operator. They had published the list as part of an upgrade to their DDoS service, which now includes renting out high-output servers from cloud service providers.

The nature of IoT botnet malware

It is common for IoT botnet campaigns to use such lists to access devices and infect them with malware.  With a massive list of credentials such as this one, a cybercriminal could create a powerful botnet. These botnets consequently are used by cybercriminals to conduct DDoS attacks or mine cryptocurrency.

Although these lists are typically kept private, they could be used and reused for new campaigns once leaked online. This is typical behavior among IoT botnet malware authors.

Aside from credentials, cybercriminals also have been seen taking advantage of the same set of exploits used by previous campaigns in designing new ones, banking on the assumption that there are still IoT devices that remain unpatched.

In the future, such lists will continue to fuel IoT-related attacks as long as devices are protected by weak security. Trend Micro’s predictions for 2020 also foresee the continued presence of IoT botnets peddled in the cybercriminal underground. These realities highlight the importance of securing their devices. Users can begin with these best practices:

  • Patch devices as soon as possible. Users should apply patches and updates as soon as they become available, to avoid potential openings from exploits.
  • Use strong passwords.  Strong passwords can prevent attacks that use a list of known or default passwords.
  • Disable unneeded services. Disabling unneeded services in IoT devices can minimize openings for potential attacks.

Users can also employ multilayered defenses that also provide better visibility over their devices. Trend Micro™ Security and Trend Micro™ Internet Security solutions, which offer effective safeguards against threats to IoT devices through features that can detect malware at the endpoint level. Connected devices can also be protected by security software such as the Trend Micro™ Home Network Security and Trend Micro™ Home Network Security SDK solutions, which can check internet traffic between the router and all connected devices. The Trend Micro™ Deep Discovery™ Inspector network appliance can monitor all ports and network protocols for advanced threats and protect enterprises from targeted attacks.


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.