Yes, hindsight is often 20/20. But what’s better than hindsight? Foresight. This allows you to prepare for a particular event rather than merely apply the lessons learned from a past cyberattack the next time around.

Unfortunately, depending on the significance of the attack, there may not be a next time. For an example of the consequences of Internet of Things (IoT) and Telnet, look no further than the recent record-shattering distributed denial-of-service (DDoS) attack against domain name provider Dyn, which used the Mirai IoT botnet.

Cybercriminals Capitalize on IoT and Telnet

In the report titled “Beware of Older Cyber Attacks,” IBM warned that one of the oldest protocols for accessing remote computers, Telnet, could enable attackers to access IoT devices without authorization. Then, in September, a large DDoS attack targeted popular security news site KrebsOnSecurity. Initial reports indicated that an IoT botnet could have been involved.

When the source code for the known Mirai botnet leaked in early October, we figured it would only be a matter of time before cybercriminals found a way to capitalize on its use of the IoT and Telnet to take down websites via a DDoS attack.

On Friday, Oct. 21, Dyn fell victim to one of the largest cyberattacks on record. The attack disrupted internet access across the U.S. to major sites including Twitter, Netflix and Amazon. The attack most likely used tens of millions of webcams, home automation devices, wireless routers and internet-enabled appliances.

Because these devices usually come with factory-supplied passwords that consumers typically do not change, they are easy to infect. Telnet does not encrypt communications, enabling attackers to access user IDs and passwords.

The Mirai Effect

According to IBM X-Force research, the Mirai command-and-control (C&C) server leveraged the Telnet service to acquire bots using a scanner that can quickly identify any device listening on TCP port 23. There have also been reports of Mirai using port 2323, which is officially registered by the Internet Assigned Numbers Authority (IANA) for 3d-nfsd.

Inside the source code is a file called scanner.c, which the bot uses to perform brute-force scanning of a select set of IP ranges. This allows the bot to find additional hosts it can acquire by initiating a discovery scan against it. Once the scanner finds an open Telnet port, it performs a dictionary-based brute-force attack against the host. The scanner also checks to see if it can directly connect to Telnet with default credentials.

Once access is established, the bot verifies the login to the new device. When properly authenticated, the host then reports its IP address, port and authentication credentials back to the C&C. Once a target is compromised, it is then fed further instructions to execute a DDoS attack. The device continues to perform its normal functions while it perpetrates the attack.

Rise in Telnet Attack Sources

IBM Managed Security Services (MSS) data revealed a very interesting trend emerging over the last several months regarding the number of IP addresses attempting to either access or determine if the Telnet port is running. There was notable rise from May through July, and then the numbers jumped significantly from July to August — almost a 140 percent increase. Levels have remained relatively high through October.

There are a number of potential reasons for this increase. Certainly, Mirai played a role. However, not all the source IPs were associated with this particular botnet. When we analyzed IBM MSS security event data for a previous report, Telnet accounted for more than three-quarters of the sweep traffic. Clearly, attackers are looking for open Telnet ports. An attacker may do this as part of an effort to:

  • See if the login banner reveals something about the system and the entity that owns it.
  • Gain immediate access to the system if authentication isn’t required.
  • Try common default accounts, such as root/root, system/system, manager/manager or operator/operator, to gain unauthorized access.
  • Perform brute-force attacks to obtain passwords for common user or system accounts.

In other words, there are many bad actors out there who are interested in using Telnet to achieve their malicious goals.

Limit the Use of Telnet

While Telnet is no longer enabled by default in as many UNIX/Linux distributions as it once was, it still gets triggered by inexperienced administrators and can be enabled by default on many IoT devices. Additionally, some Telnet servers connected to the internet are running on systems ranging from Windows 10 all the way back to Windows XP.

Organizations should limit the use of Telnet in their IT environments. Disable Telnet if it is not necessary or replace it with a stronger counterpart, such as Secure Shell (SSH).

Preventing IoT Botnet DDoS Attacks

To remediate DDoS attacks, IT professionals must detect unusually high volumes of requests made by the internet-enabled devices and temporarily shut down access to them. Additionally, enterprises security teams should:

  • Perform device scanning and implement auditing software to detect factory-supplied passwords.
  • Review and implement security services that can detect both probing of Domain Name System (DNS), service providers and C&C activity, in which machines are operated by computer command.
  • Change the admin user ID and password when installing a new device. For older devices, go back and change these after rebooting the device.
  • Isolate IoT devices on protected networks and perform security testing.
  • Use enterprise firewalls, intrusion prevention systems, and identity and access management (IAM) solutions to implement access controls between IoT devices and IT resources.

Organizations must respond proactively to minimize damage. An incident response team is the single most important factor in reducing the cost of a data breach. Meanwhile, a managed web defense service can divert traffic from your environment during a DDoS attack, enabling your web properties to function normally.

Finally, continue to exchange and share information to gain foresight on threats to your environment.

More from Threat Intelligence

An IBM Hacker Breaks Down High-Profile Attacks

On September 19, 2022, an 18-year-old cyberattacker known as "teapotuberhacker" (aka TeaPot) allegedly breached the Slack messages of game developer Rockstar Games. Using this access, they pilfered over 90 videos of the upcoming Grand Theft Auto VI game. They then posted those videos on the fan website Gamers got an unsanctioned sneak peek of game footage, characters, plot points and other critical details. It was a game developer's worst nightmare. In addition, the malicious actor claimed responsibility for a…

Self-Checkout This Discord C2

This post was made possible through the contributions of James Kainth, Joseph Lozowski, and Philip Pedersen. In November 2022, during an incident investigation involving a self-checkout point-of-sale (POS) system in Europe, IBM Security X-Force identified a novel technique employed by an attacker to introduce a command and control (C2) channel built upon Discord channel messages. Discord is a chat, voice, and video service enabling users to join and create communities associated with their interests. While Discord and its related software…

Charles Henderson’s Cybersecurity Awareness Month Content Roundup

In some parts of the world during October, we have Halloween, which conjures the specter of imagined monsters lurking in the dark. Simultaneously, October is Cybersecurity Awareness Month, which evokes the specter of threats lurking behind our screens. Bombarded with horror stories about data breaches, ransomware, and malware, everyone’s suddenly in the latest cybersecurity trends and data, and the intricacies of their organization’s incident response plan. What does all this fear and uncertainty stem from? It’s the unknowns. Who might…

Old Habits Die Hard: New Report Finds Businesses Still Introducing Security Risk into Cloud Environments

While cloud computing and its many forms (private, public, hybrid cloud or multi-cloud environments) have become ubiquitous with innovation and growth over the past decade, cybercriminals have closely watched the migration and introduced innovations of their own to exploit the platforms. Most of these exploits are based on poor configurations and human error. New IBM Security X-Force data reveals that many cloud-adopting businesses are falling behind on basic security best practices, introducing more risk to their organizations. Shedding light on…