Dipping Into The Honeypot
Brute-forcing factory default usernames and passwords remains a winning strategy for Internet of Things (IOT) botnet propagation. Botnet operators with the best list will produce the larger botnet and obtain superior firepower for launching DDoS attacks. IOT bots are indiscriminate – they will randomly choose an address to attack and work through their list of usernames and passwords until either giving up or infecting the targeted device. For the month of September we observed 1,065 unique username and password combinations from 129 different countries. Taking a step back and looking at malware-agnostic regional trends for username and password combinations, local affinities for different types of IOT devices emerge.
• Interrogating botnets revealed 1,005 additional username and password combinations beyond Mirai’s default list, of the 1,065 total observed.
• Combinations used across disparate regions surface trends regarding device type deployments.
• Attacks from bots using specific manufacturer default passwords are often perpetrated from similarly compromised devices.
The infamous IOT malware, Mirai, first burst on to the scene in late 2016, resulting in a number of variants emerging since, but much of their success belong to a simple propagation method – default usernames and passwords. Several variants evolved to use exploits that targeted vulnerabilities, but a mundane factory-installed username and password is still incredibly effective.
Mirai bundled its own list of usernames and passwords, which made its way into the publicly released source code. This code allowed anyone with a modicum of technical skill to build their own IOT botnet. Fast adopters quickly crowded the landscape and IOT bots became commonplace. Some found that by using their own custom list of username and passwords, they could achieve evolutionary success by infecting devices that others could not.
Collecting the usernames and passwords used by IOT malware is a fertile field for analysis. By emulating enough of the telnet protocol to elicit usernames and passwords (and more!), bots will gladly share their hit list to anyone listening. With enough of these collectors, trends emerge.
Let’s focus on data collected during the month of September 2018. The top 5 username and password combos (Figure 1) won’t surprise anyone:
Figure 1: Top 5 Username/Passwords, September 2018
These password combos came with the original Mirai source code, including two – vizxv and xc3511 – that target the DVRs that propelled the original Mirai bot to prominence.
The usernames and passwords that don’t appear in the original Mirai source code are the more interesting. Figure 2 shows a list of frequently used combinations:
Figure 2: Top 20 Username/Passwords not in original Mirai, September 2018
The list includes a mix of both basic, default/default and root/, and specific, root/1001chin and root/taZz@23495859, username and password combinations. The more specific passwords refer to factory defaults for certain devices. In the past two years attackers focused on adding new devices to their war chest.
Figure 3 shows a map of telnet brute-forcers, the top countries being Russia, China, Brazil, US, and South Korea, respectively. What can we tell about the usernames and passwords used by bots based on their geography?
Figure 3: Map of bot infections, September 2018
When an automated bot like Mirai attempts an unsolicited brute-force attack, chances are the device rattling the doorknob is susceptible to the exact same attack. In fact, it’s possible the device attempting the brute-force is already a part of the botnet via the same attack, perhaps even the same username and password combination. Some devices appear more prominent in certain countries, due to either availability or popularity. Let’s take a look at several of these anomalies (Figure 4).
|Country||Username/Password||Local Rank||Overall Rank|
Figure 4: Username/Passwords by country, local & overall rank, September 2018
The root/20080826 combination seen primarily from Russia appears to be for a device called TM02 TripMate – a travel router. Likewise, vstarcam2015/20150602 appears to be the magic incantation to grant access to a webcam. Both devices are available in the United States, but perhaps more popular in Russia. It’s unlikely to be targeted scanning and not the behavior of a bot, since the sources are well distributed. The data in Figure 4 was filtered out for noise, such as a single IP in Italy brute-forcing the internet for days with <blank>/<blank>.
Other cases are clearer, such as telecomadmin/admintelecom for Huawei devices, which have a much larger install base outside of western countries.
The fifth through the ninth top username and passwords combinations from Iran are also strange. They’re not uncommon passwords, not necessarily for a specific device, but are far more prevalent from Iran. Maybe an older bot that remains in play?
IOT bots employ the shotgun approach to propagation – pick a target at random and keep trying until the list is exhausted, or the attack is successful. Until the attackers take a more nuanced approach, security researchers can identify their targets through the use of honeypots. Although not an exact science, the study of IOT botnet behavior can help us understand targeting and methodology employed by botnet operators. Breaking down these trends both globally and regionally show an IOT ecosystem rife for abuse.