![\"mirai\"](\"http:\/\/www.cyberdefensemagazine.com\/wp-content\/uploads\/2016\/10\/mirai-642x336.png\")
Security experts have discovered more than 500,000 vulnerable Internet of Things (IoT) devices that could be potentially recruited in the Mirai botnet.<\/p>\nExpertos en seguridad han descubierto m\u00e1s de 500.000 dispositivos de Internet de las Cosas (IoT) vulnerables que podr\u00edan ser potencialmente reclutados en la red de bots Mirai. En las \u00faltimas semanas, expertos en seguridad observaron dos de los m\u00e1s poderosos ataques DDoS vistos, que golpearon al proveedor de hosting OVH.<\/p>\n
Security experts have discovered more than 500,000 vulnerable Internet of Things (IoT) devices that could be potentially recruited in the Mirai botnet.<\/p>\n
In the last weeks, security experts observed two of the powerful DDoS attacks of ever that hit the\u00a0hosting provider\u00a0OVH<\/a>\u00a0and the websites of the popular security expert Brian Krebs.<\/p>\n Malware researchers believe that the attacks were launched by at least a couple of botnets, one of them is the dreaded\u00a0Mirai<\/a>\u00a0botnet.<\/p>\n The Mirai ELF trojan was first spotted by\u00a0experts from MalwareMustDie in August, the threat was targeting\u00a0IoT devices<\/a>\u00a0in the wild.<\/p>\n Researchers believe that the attack against the\u00a0OVH<\/a>\u00a0was\u00a0powered by a botnet composed of\u00a0a large number of compromised IoT devices, including\u00a0DVRs<\/a>\u00a0and\u00a0cameras<\/a>.<\/p>\n Last week, the author of Mirai botnet\u00a0released<\/a>\u00a0the source code of the malware that includes a list of 60 couples of usernames and passwords used by the malware to compromise the IoT devices.<\/p>\n The list of login credentials\u00a0includes the default username\/password combination\u00a0root\/xc3511 that according to the experts at\u00a0Flashpoint\u00a0allowed the hack in the majority of devices composing the Mirai botnet.<\/p>\n The botnet was mainly composed of video surveillance devices manufactured by Dahua Technology.<\/p>\n \u201cWhile investigating the recent large-scale distributed denial-of-service (DDoS) attacks, Flashpoint identified the primary manufacturer of the devices that utilize the default username and password combination known as root and xc3511.\u201d reads a\u00a0<\/em>report<\/em><\/strong><\/a>\u00a0published by\u00a0Flashpoint.<\/em><\/p>\n \u201cThese types of credentials exist all across the Internet and are commonly used via Telnet to access numerous types of DVRs. In fact, countless DVR manufacturers buy parts preloaded with Linux and rudimentary management software from a company called XiongMai Technologies, located in Hangzhou, China.\u201d<\/em><\/p>\n Many device manufacturers use\u00a0components of the Chinese company XiongMai Technologies. According to the experts, there are at least half a million devices worldwide\u00a0using these vulnerable components that could be accessed with\u00a0default credentials.<\/p>\n \u201cDefault credentials pose little threat when a device is not accessible from the Internet. However, when combined with other defaults, such as web interfaces or remote login services like Telnet or SSH, default credentials may pose a great risk to a device.\u201d continues the report. \u201cIn this case, default credentials can be used to \u201cTelnet\u201d to vulnerable devices, turning them into \u201cbots\u201d in a botnet.\u201d<\/em><\/p>\n The major risk related the firmware provided by the Chinese manufacturer is related to the combination of default hardcoded credentials and the availability of a Telnet service that is active by default and which allows remote access to the devices.<\/p>\n \u201cThe Dahua devices were identified early because of their distinctive interface and recent use in other botnets. Utilizing the \u201c<\/em>botnets. Utilizing the \u201c<\/em>Low Impact Identification Tool<\/em><\/a>\u201d or LIFT, Flashpoint was able to identify a large number of these devices in the attack data provided.\u201d states the report.<\/em><\/p>\n \u201cThe issue with these particular devices is that a user cannot feasibly change this password. The password is\u00a0<\/em>hardcoded\u00a0into the firmware, and the tools necessary to disable it are not present. Even worse, the web interface is not aware that these credentials even exist. Further exacerbating the issue, the Telnet service is also\u00a0<\/em>hardcoded\u00a0into \/etc\/<\/em>init.d\/<\/em>rcS\u00a0(the primary service startup script), which is not easy to edit. The combination of the default service and hard-coded credentials\u00a0<\/em>has led\u00a0to the\u00a0<\/em>assignment of has\u00a0led to the assignment of\u00a0CVE-2016-1000245<\/strong>\u00a0by the\u00a0<\/em>Distributed Weakness Filing Project<\/em><\/a>.\u201d<\/em><\/p>\n Flashpoint scanned the internet with the Shodan search engine for flawed IoT devices.<\/p>\n FlashPoint spotted more than 500,000 vulnerable devices in the wild, the countries with the highest number of vulnerable devices are Vietnam (80,000), Brazil (62,000) and Turkey (40,000).<\/p>\n Large-scale DDoS attacks continue\u00a0to represent a serious threat for web services across the world, and IoT devices represent a privileged attack vector due to the lack of security by design. IoT manufacturers are encouraged to seriously consider the approach at the security of their products.<\/p>\n