The Mirai botnet has made plenty of headlines recently after launching record-breaking distributed denial-of-service (DDoS) attacks against the website of well-known security journalist Brian Krebs.
Earlier this month, hackers publicly released the source code of the Internet of Things (IoT) botnet powered by easily hacked routers, IP cameras and digital video recorders, among other devices.
“The [Mirai] malware… spreads to vulnerable devices by continuously scanning the Internet for IoT systems protected by factory default or hard-coded usernames and passwords,” explained KrebsonSecurity.
The insecure IoT devices are then loaded with malicious software, transforming them into “bots” and forcing them to report to a central control server, which is utilized to launch massive DDoS attacks in an effort to knock websites offline.
According to reports, the source code includes a list of 60 username and password combinations that Mirai leverages to compromise the IoT devices.
Researchers identified that one of the credential sets, root/xc3511, allowed for the hijack of the majority of the devices powering the botnet.
Flashpoint researcher Zach Wikholm explained in a blog post that a very large percentage of the devices involved in the DDoS attacks were manufactured by a Chinese company.
“These types of credentials exist all across the Internet and are commonly used via Telnet to access numerous types of DVRs. In fact, countless DVR manufactures buy parts preloaded with Linux and rudimentary management software from a company called XiongMai Technologies, located in Hangzhou, China,” said Wikhlom.
“This company sells white-labeled DVR, NVR and IP Camera boards and software to downstream vendors who then use it in their own products. Altogether, over five-hundred thousand devices on public IPs around the world appear susceptible to this vulnerability.”
As Security Week reports, to make matters even worse, the default credentials of such devices cannot be changed as they are hardcoded in the firmware and there are no options for disabling them. Furthermore, the telnet service is also difficult to disable.
Wikholm told SecurityWeek that XiongMai devices accounted for nearly 70 percent in countries such as Turkey and Vietnam, where a lot of the attack traffic originated.
For more information on Flashpoint’s research, click here.