Security Affairs
US and allied Governments’ Recommendations: Securing Network Devices Against Russian APT Groups|Chaotic Eclipse Unveils LegacyHive Exploit Affecting Fully Patched Windows Systems|AsyncAPI npm Supply Chain Attack: Malware Injected Into Packages With 2 Million Weekly Downloads|U.S. CISA adds SonicWall and Microsoft flaws to its Known Exploited Vulnerabilities catalog|SonicWall warns of active exploitation of two SMA 1000 zero-days|Patch Tuesday security updates for July 2026, the largest update ever. 621 CVEs in one month|U.S. Treasury Sanctions VPN Provider and Cryptor Seller Behind Billions in Ransomware Losses|Attacker Used AI to Build Custom PowerShell Recon Malware|Malware Hits Japan’s Largest Taxi Company Nihon Kotsu, Services Temporarily Suspended|CrashStealer: New macOS Infostealer Uses Signed Apps to Evade Gatekeeper|Lidl Notified Online Shop Customers in Germany, Belgium, and the Netherlands of a Data Breach|U.S. CISA adds a Cisco IOS flaw to its Known Exploited Vulnerabilities catalog|US and allied Governments’ Recommendations: Securing Network Devices Against Russian APT Groups|Chaotic Eclipse Unveils LegacyHive Exploit Affecting Fully Patched Windows Systems|AsyncAPI npm Supply Chain Attack: Malware Injected Into Packages With 2 Million Weekly Downloads|U.S. CISA adds SonicWall and Microsoft flaws to its Known Exploited Vulnerabilities catalog|SonicWall warns of active exploitation of two SMA 1000 zero-days|Patch Tuesday security updates for July 2026, the largest update ever. 621 CVEs in one month|U.S. Treasury Sanctions VPN Provider and Cryptor Seller Behind Billions in Ransomware Losses|Attacker Used AI to Build Custom PowerShell Recon Malware|Malware Hits Japan’s Largest Taxi Company Nihon Kotsu, Services Temporarily Suspended|CrashStealer: New macOS Infostealer Uses Signed Apps to Evade Gatekeeper|Lidl Notified Online Shop Customers in Germany, Belgium, and the Netherlands of a Data Breach|U.S. CISA adds a Cisco IOS flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

More than 500,000 IoT devices potentially recruitable in the Mirai Botnet

Security experts have discovered more than 500,000 vulnerable Internet of Things (IoT) devices that could be potentially recruited in the Mirai botnet. In the last weeks, security experts observed two of the powerful DDoS attacks of ever that hit the hosting provider OVH and the websites of the popular security expert Brian Krebs. Malware researchers believe that the […]

More than 500,000 IoT devices potentially recruitable in the Mirai Botnet

Security experts have discovered more than 500,000 vulnerable Internet of Things (IoT) devices that could be potentially recruited in the Mirai botnet.

In the last weeks, security experts observed two of the powerful DDoS attacks of ever that hit the hosting provider OVH and the websites of the popular security expert Brian Krebs.

Malware researchers believe that the attacks were launched by at least a couple of botnets, one of them is the dreaded Mirai botnet.

The Mirai ELF trojan was first spotted by experts from MalwareMustDie in August, the threat was targeting IoT devices in the wild.

Researchers believe that the attack against the OVH was powered by a botnet composed of a large number of compromised IoT devices, including DVRs and cameras.

Last week, the author of Mirai botnet released the source code of the malware that includes a list of 60 couples of usernames and passwords used by the malware to compromise the IoT devices.

The list of login credentials includes the default username/password combination root/xc3511 that according to the experts at Flashpoint allowed the hack in the majority of devices composing the Mirai botnet.

The botnet was mainly composed of video surveillance devices manufactured by Dahua Technology.

“While investigating the recent large-scale distributed denial-of-service (DDoS) attacks, Flashpoint identified the primary manufacturer of the devices that utilize the default username and password combination known as root and xc3511.” reads a report published by Flashpoint.

“These types of credentials exist all across the Internet and are commonly used via Telnet to access numerous types of DVRs. In fact, countless DVR manufacturers buy parts preloaded with Linux and rudimentary management software from a company called XiongMai Technologies, located in Hangzhou, China.”

Many device manufacturers use components of the Chinese company XiongMai Technologies. According to the experts, there are at least half a million devices worldwide using these vulnerable components that could be accessed with default credentials.

“Default credentials pose little threat when a device is not accessible from the Internet. However, when combined with other defaults, such as web interfaces or remote login services like Telnet or SSH, default credentials may pose a great risk to a device.” continues the report. “In this case, default credentials can be used to “Telnet” to vulnerable devices, turning them into “bots” in a botnet.”

The major risk related the firmware provided by the Chinese manufacturer is related to the combination of default hardcoded credentials and the availability of a Telnet service that is active by default and which allows remote access to the devices.

“The Dahua devices were identified early because of their distinctive interface and recent use in other botnets. Utilizing the “botnets. Utilizing the “Low Impact Identification Tool” or LIFT, Flashpoint was able to identify a large number of these devices in the attack data provided.” states the report.

“The issue with these particular devices is that a user cannot feasibly change this password. The password is hardcoded into the firmware, and the tools necessary to disable it are not present. Even worse, the web interface is not aware that these credentials even exist. Further exacerbating the issue, the Telnet service is also hardcoded into /etc/init.d/rcS (the primary service startup script), which is not easy to edit. The combination of the default service and hard-coded credentials has led to the assignment of has led to the assignment of CVE-2016-1000245 by the Distributed Weakness Filing Project.”

Flashpoint scanned the internet with the Shodan search engine for flawed IoT devices.

FlashPoint spotted more than 500,000 vulnerable devices in the wild, the countries with the highest number of vulnerable devices are Vietnam (80,000), Brazil (62,000) and Turkey (40,000).

mirai-shodan-vulnerable-devices

Large-scale DDoS attacks continue to represent a serious threat for web services across the world, and IoT devices represent a privileged attack vector due to the lack of security by design. IoT manufacturers are encouraged to seriously consider the approach at the security of their products.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Linux Mirai malware, IoT)