November 8, 2016 By Michelle Alvarez 4 min read

Yes, hindsight is often 20/20. But what’s better than hindsight? Foresight. This allows you to prepare for a particular event rather than merely apply the lessons learned from a past cyberattack the next time around.

Unfortunately, depending on the significance of the attack, there may not be a next time. For an example of the consequences of Internet of Things (IoT) and Telnet, look no further than the recent record-shattering distributed denial-of-service (DDoS) attack against domain name provider Dyn, which used the Mirai IoT botnet.

Cybercriminals Capitalize on IoT and Telnet

In the report titled “Beware of Older Cyber Attacks,” IBM warned that one of the oldest protocols for accessing remote computers, Telnet, could enable attackers to access IoT devices without authorization. Then, in September, a large DDoS attack targeted popular security news site KrebsOnSecurity. Initial reports indicated that an IoT botnet could have been involved.

When the source code for the known Mirai botnet leaked in early October, we figured it would only be a matter of time before cybercriminals found a way to capitalize on its use of the IoT and Telnet to take down websites via a DDoS attack.

On Friday, Oct. 21, Dyn fell victim to one of the largest cyberattacks on record. The attack disrupted internet access across the U.S. to major sites including Twitter, Netflix and Amazon. The attack most likely used tens of millions of webcams, home automation devices, wireless routers and internet-enabled appliances.

Because these devices usually come with factory-supplied passwords that consumers typically do not change, they are easy to infect. Telnet does not encrypt communications, enabling attackers to access user IDs and passwords.

The Mirai Effect

According to IBM X-Force research, the Mirai command-and-control (C&C) server leveraged the Telnet service to acquire bots using a scanner that can quickly identify any device listening on TCP port 23. There have also been reports of Mirai using port 2323, which is officially registered by the Internet Assigned Numbers Authority (IANA) for 3d-nfsd.

Inside the source code is a file called scanner.c, which the bot uses to perform brute-force scanning of a select set of IP ranges. This allows the bot to find additional hosts it can acquire by initiating a discovery scan against it. Once the scanner finds an open Telnet port, it performs a dictionary-based brute-force attack against the host. The scanner also checks to see if it can directly connect to Telnet with default credentials.

Once access is established, the bot verifies the login to the new device. When properly authenticated, the host then reports its IP address, port and authentication credentials back to the C&C. Once a target is compromised, it is then fed further instructions to execute a DDoS attack. The device continues to perform its normal functions while it perpetrates the attack.

Rise in Telnet Attack Sources

IBM Managed Security Services (MSS) data revealed a very interesting trend emerging over the last several months regarding the number of IP addresses attempting to either access or determine if the Telnet port is running. There was notable rise from May through July, and then the numbers jumped significantly from July to August — almost a 140 percent increase. Levels have remained relatively high through October.

There are a number of potential reasons for this increase. Certainly, Mirai played a role. However, not all the source IPs were associated with this particular botnet. When we analyzed IBM MSS security event data for a previous report, Telnet accounted for more than three-quarters of the sweep traffic. Clearly, attackers are looking for open Telnet ports. An attacker may do this as part of an effort to:

  • See if the login banner reveals something about the system and the entity that owns it.
  • Gain immediate access to the system if authentication isn’t required.
  • Try common default accounts, such as root/root, system/system, manager/manager or operator/operator, to gain unauthorized access.
  • Perform brute-force attacks to obtain passwords for common user or system accounts.

In other words, there are many bad actors out there who are interested in using Telnet to achieve their malicious goals.

Limit the Use of Telnet

While Telnet is no longer enabled by default in as many UNIX/Linux distributions as it once was, it still gets triggered by inexperienced administrators and can be enabled by default on many IoT devices. Additionally, some Telnet servers connected to the internet are running on systems ranging from Windows 10 all the way back to Windows XP.

Organizations should limit the use of Telnet in their IT environments. Disable Telnet if it is not necessary or replace it with a stronger counterpart, such as Secure Shell (SSH).

Preventing IoT Botnet DDoS Attacks

To remediate DDoS attacks, IT professionals must detect unusually high volumes of requests made by the internet-enabled devices and temporarily shut down access to them. Additionally, enterprises security teams should:

  • Perform device scanning and implement auditing software to detect factory-supplied passwords.
  • Review and implement security services that can detect both probing of Domain Name System (DNS), service providers and C&C activity, in which machines are operated by computer command.
  • Change the admin user ID and password when installing a new device. For older devices, go back and change these after rebooting the device.
  • Isolate IoT devices on protected networks and perform security testing.
  • Use enterprise firewalls, intrusion prevention systems, and identity and access management (IAM) solutions to implement access controls between IoT devices and IT resources.

Organizations must respond proactively to minimize damage. An incident response team is the single most important factor in reducing the cost of a data breach. Meanwhile, a managed web defense service can divert traffic from your environment during a DDoS attack, enabling your web properties to function normally.

Finally, continue to exchange and share information to gain foresight on threats to your environment.

More from Threat Intelligence

ITG05 operations leverage Israel-Hamas conflict lures to deliver Headlace malware

11 min read - As of December 2023, IBM X-Force has uncovered multiple lure documents that predominately feature the ongoing Israel-Hamas war to facilitate the delivery of the ITG05 exclusive Headlace backdoor. The newly discovered campaign is directed against targets based in at least 13 nations worldwide and leverages authentic documents created by academic, finance and diplomatic centers. ITG05’s infrastructure ensures only targets from a single specific country can receive the malware, indicating the highly targeted nature of the campaign.X-Force tracks ITG05 as a…

IBM identifies zero-day vulnerability in Zyxel NAS devices

12 min read - While investigating CVE-2023-27992, a vulnerability affecting Zyxel network-attached storage (NAS) devices, the IBM X-Force uncovered two new flaws, which when used together, allow for pre-authenticated remote code execution. Zyxel NAS devices are typically used by consumers as cloud storage devices for homes or small to medium-sized businesses. When used together, the flaws X-Force discovered allow a remote attacker to execute arbitrary code on the device with superuser permissions and without requiring any credentials. This results in complete control over the…

Stealthy WailingCrab Malware misuses MQTT Messaging Protocol

14 min read - This article was made possible thanks to the hard work of writer Charlotte Hammond and contributions from Ole Villadsen and Kat Metrick. IBM X-Force researchers have been tracking developments to the WailingCrab malware family, in particular, those relating to its C2 communication mechanisms, which include misusing the Internet-of-Things (IoT) messaging protocol MQTT. WailingCrab, also known as WikiLoader, is a sophisticated, multi-component malware delivered almost exclusively by an initial access broker that X-Force tracks as Hive0133, which overlaps with TA544. WailingCrab…

GootBot – Gootloader’s new approach to post-exploitation

8 min read - IBM X-Force discovered a new variant of Gootloader — the "GootBot" implant — which facilitates stealthy lateral movement and makes detection and blocking of Gootloader campaigns more difficult within enterprise environments. X-Force observed these campaigns leveraging SEO poisoning, wagering on unsuspecting victims' search activity, which we analyze further in the blog. The Gootloader group’s introduction of their own custom bot into the late stages of their attack chain is an attempt to avoid detections when using off-the-shelf tools for C2…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today