Consequences of IoT and Telnet: Foresight Is Better Than Hindsight

Yes, hindsight is often 20/20. But what’s better than hindsight? Foresight. This allows you to prepare for a particular event rather than merely apply the lessons learned from a past cyberattack the next time around.

Unfortunately, depending on the significance of the attack, there may not be a next time. For an example of the consequences of Internet of Things (IoT) and Telnet, look no further than the recent record-shattering distributed denial-of-service (DDoS) attack against domain name provider Dyn, which used the Mirai IoT botnet.

Cybercriminals Capitalize on IoT and Telnet

In the report titled “Beware of Older Cyber Attacks,” IBM warned that one of the oldest protocols for accessing remote computers, Telnet, could enable attackers to access IoT devices without authorization. Then, in September, a large DDoS attack targeted popular security news site KrebsOnSecurity. Initial reports indicated that an IoT botnet could have been involved.

When the source code for the known Mirai botnet leaked in early October, we figured it would only be a matter of time before cybercriminals found a way to capitalize on its use of the IoT and Telnet to take down websites via a DDoS attack.

On Friday, Oct. 21, Dyn fell victim to one of the largest cyberattacks on record. The attack disrupted internet access across the U.S. to major sites including Twitter, Netflix and Amazon. The attack most likely used tens of millions of webcams, home automation devices, wireless routers and internet-enabled appliances.

Because these devices usually come with factory-supplied passwords that consumers typically do not change, they are easy to infect. Telnet does not encrypt communications, enabling attackers to access user IDs and passwords.

The Mirai Effect

According to IBM X-Force research, the Mirai command-and-control (C&C) server leveraged the Telnet service to acquire bots using a scanner that can quickly identify any device listening on TCP port 23. There have also been reports of Mirai using port 2323, which is officially registered by the Internet Assigned Numbers Authority (IANA) for 3d-nfsd.

Inside the source code is a file called scanner.c, which the bot uses to perform brute-force scanning of a select set of IP ranges. This allows the bot to find additional hosts it can acquire by initiating a discovery scan against it. Once the scanner finds an open Telnet port, it performs a dictionary-based brute-force attack against the host. The scanner also checks to see if it can directly connect to Telnet with default credentials.

Once access is established, the bot verifies the login to the new device. When properly authenticated, the host then reports its IP address, port and authentication credentials back to the C&C. Once a target is compromised, it is then fed further instructions to execute a DDoS attack. The device continues to perform its normal functions while it perpetrates the attack.

Rise in Telnet Attack Sources

IBM Managed Security Services (MSS) data revealed a very interesting trend emerging over the last several months regarding the number of IP addresses attempting to either access or determine if the Telnet port is running. There was notable rise from May through July, and then the numbers jumped significantly from July to August — almost a 140 percent increase. Levels have remained relatively high through October.

Source IPS chart of telnet trends in 2016

There are a number of potential reasons for this increase. Certainly, Mirai played a role. However, not all the source IPs were associated with this particular botnet. When we analyzed IBM MSS security event data for a previous report, Telnet accounted for more than three-quarters of the sweep traffic. Clearly, attackers are looking for open Telnet ports. An attacker may do this as part of an effort to:

  • See if the login banner reveals something about the system and the entity that owns it.
  • Gain immediate access to the system if authentication isn’t required.
  • Try common default accounts, such as root/root, system/system, manager/manager or operator/operator, to gain unauthorized access.
  • Perform brute-force attacks to obtain passwords for common user or system accounts.

In other words, there are many bad actors out there who are interested in using Telnet to achieve their malicious goals.

Limit the Use of Telnet

While Telnet is no longer enabled by default in as many UNIX/Linux distributions as it once was, it still gets triggered by inexperienced administrators and can be enabled by default on many IoT devices. Additionally, some Telnet servers connected to the internet are running on systems ranging from Windows 10 all the way back to Windows XP.

Organizations should limit the use of Telnet in their IT environments. Disable Telnet if it is not necessary or replace it with a stronger counterpart, such as Secure Shell (SSH).

Preventing IoT Botnet DDoS Attacks

To remediate DDoS attacks, IT professionals must detect unusually high volumes of requests made by the internet-enabled devices and temporarily shut down access to them. Additionally, enterprises security teams should:

  • Perform device scanning and implement auditing software to detect factory-supplied passwords.
  • Review and implement security services that can detect both probing of Domain Name System (DNS), service providers and C&C activity, in which machines are operated by computer command.
  • Change the admin user ID and password when installing a new device. For older devices, go back and change these after rebooting the device.
  • Isolate IoT devices on protected networks and perform security testing.
  • Use enterprise firewalls, intrusion prevention systems, and identity and access management (IAM) solutions to implement access controls between IoT devices and IT resources.

Organizations must respond proactively to minimize damage. An incident response team is the single most important factor in reducing the cost of a data breach. Meanwhile, a managed web defense service can divert traffic from your environment during a DDoS attack, enabling your web properties to function normally.

Finally, continue to exchange and share information to gain foresight on threats to your environment.

Share this Article:
Michelle Alvarez

Threat Researcher and Editor, IBM Managed Security Services

Michelle Alvarez is a Threat Researcher and Editor for IBM's Managed Security Services; she brings more than 10 years of industry experience to her role. In this role she focuses communications efforts around threat research and mitigation. Michelle joined IBM through the Internet Security Services (ISS) acquisition, where she served as an Analyst on the X-Force Vulnerability Database Team.