November 8, 2016 By Michelle Alvarez 4 min read

Yes, hindsight is often 20/20. But what’s better than hindsight? Foresight. This allows you to prepare for a particular event rather than merely apply the lessons learned from a past cyberattack the next time around.

Unfortunately, depending on the significance of the attack, there may not be a next time. For an example of the consequences of Internet of Things (IoT) and Telnet, look no further than the recent record-shattering distributed denial-of-service (DDoS) attack against domain name provider Dyn, which used the Mirai IoT botnet.

Cybercriminals Capitalize on IoT and Telnet

In the report titled “Beware of Older Cyber Attacks,” IBM warned that one of the oldest protocols for accessing remote computers, Telnet, could enable attackers to access IoT devices without authorization. Then, in September, a large DDoS attack targeted popular security news site KrebsOnSecurity. Initial reports indicated that an IoT botnet could have been involved.

When the source code for the known Mirai botnet leaked in early October, we figured it would only be a matter of time before cybercriminals found a way to capitalize on its use of the IoT and Telnet to take down websites via a DDoS attack.

On Friday, Oct. 21, Dyn fell victim to one of the largest cyberattacks on record. The attack disrupted internet access across the U.S. to major sites including Twitter, Netflix and Amazon. The attack most likely used tens of millions of webcams, home automation devices, wireless routers and internet-enabled appliances.

Because these devices usually come with factory-supplied passwords that consumers typically do not change, they are easy to infect. Telnet does not encrypt communications, enabling attackers to access user IDs and passwords.

The Mirai Effect

According to IBM X-Force research, the Mirai command-and-control (C&C) server leveraged the Telnet service to acquire bots using a scanner that can quickly identify any device listening on TCP port 23. There have also been reports of Mirai using port 2323, which is officially registered by the Internet Assigned Numbers Authority (IANA) for 3d-nfsd.

Inside the source code is a file called scanner.c, which the bot uses to perform brute-force scanning of a select set of IP ranges. This allows the bot to find additional hosts it can acquire by initiating a discovery scan against it. Once the scanner finds an open Telnet port, it performs a dictionary-based brute-force attack against the host. The scanner also checks to see if it can directly connect to Telnet with default credentials.

Once access is established, the bot verifies the login to the new device. When properly authenticated, the host then reports its IP address, port and authentication credentials back to the C&C. Once a target is compromised, it is then fed further instructions to execute a DDoS attack. The device continues to perform its normal functions while it perpetrates the attack.

Rise in Telnet Attack Sources

IBM Managed Security Services (MSS) data revealed a very interesting trend emerging over the last several months regarding the number of IP addresses attempting to either access or determine if the Telnet port is running. There was notable rise from May through July, and then the numbers jumped significantly from July to August — almost a 140 percent increase. Levels have remained relatively high through October.

There are a number of potential reasons for this increase. Certainly, Mirai played a role. However, not all the source IPs were associated with this particular botnet. When we analyzed IBM MSS security event data for a previous report, Telnet accounted for more than three-quarters of the sweep traffic. Clearly, attackers are looking for open Telnet ports. An attacker may do this as part of an effort to:

  • See if the login banner reveals something about the system and the entity that owns it.
  • Gain immediate access to the system if authentication isn’t required.
  • Try common default accounts, such as root/root, system/system, manager/manager or operator/operator, to gain unauthorized access.
  • Perform brute-force attacks to obtain passwords for common user or system accounts.

In other words, there are many bad actors out there who are interested in using Telnet to achieve their malicious goals.

Limit the Use of Telnet

While Telnet is no longer enabled by default in as many UNIX/Linux distributions as it once was, it still gets triggered by inexperienced administrators and can be enabled by default on many IoT devices. Additionally, some Telnet servers connected to the internet are running on systems ranging from Windows 10 all the way back to Windows XP.

Organizations should limit the use of Telnet in their IT environments. Disable Telnet if it is not necessary or replace it with a stronger counterpart, such as Secure Shell (SSH).

Preventing IoT Botnet DDoS Attacks

To remediate DDoS attacks, IT professionals must detect unusually high volumes of requests made by the internet-enabled devices and temporarily shut down access to them. Additionally, enterprises security teams should:

  • Perform device scanning and implement auditing software to detect factory-supplied passwords.
  • Review and implement security services that can detect both probing of Domain Name System (DNS), service providers and C&C activity, in which machines are operated by computer command.
  • Change the admin user ID and password when installing a new device. For older devices, go back and change these after rebooting the device.
  • Isolate IoT devices on protected networks and perform security testing.
  • Use enterprise firewalls, intrusion prevention systems, and identity and access management (IAM) solutions to implement access controls between IoT devices and IT resources.

Organizations must respond proactively to minimize damage. An incident response team is the single most important factor in reducing the cost of a data breach. Meanwhile, a managed web defense service can divert traffic from your environment during a DDoS attack, enabling your web properties to function normally.

Finally, continue to exchange and share information to gain foresight on threats to your environment.

More from Threat Intelligence

FYSA – Critical RCE Flaw in GNU-Linux Systems

2 min read - Summary The first of a series of blog posts has been published detailing a vulnerability in the Common Unix Printing System (CUPS), which purportedly allows attackers to gain remote access to UNIX-based systems. The vulnerability, which affects various UNIX-based operating systems, can be exploited by sending a specially crafted HTTP request to the CUPS service. Threat Topography Threat Type: Remote code execution vulnerability in CUPS service Industries Impacted: UNIX-based systems across various industries, including but not limited to, finance, healthcare,…

Hive0137 and AI-supplemented malware distribution

12 min read - IBM X-Force tracks dozens of threat actor groups. One group in particular, tracked by X-Force as Hive0137, has been a highly active malware distributor since at least October 2023. Nominated by X-Force as having the “Most Complex Infection Chain” in a campaign in 2023, Hive0137 campaigns deliver DarkGate, NetSupport, T34-Loader and Pikabot malware payloads, some of which are likely used for initial access in ransomware attacks. The crypters used in the infection chains also suggest a close relationship with former…

Phishing kit trends and the top 10 spoofed brands of 2023

4 min read -  The 2024 IBM X-Force Threat Intelligence Index reported that phishing was one of the top initial access vectors observed last year, accounting for 30% of incidents. To carry out their phishing campaigns, attackers often use phishing kits: a collection of tools, resources and scripts that are designed and assembled to ease deployment. Each phishing kit deployment corresponds to a single phishing attack, and a kit could be redeployed many times during a phishing campaign. IBM X-Force has analyzed thousands of…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today