November 8, 2016 By Michelle Alvarez 4 min read

Yes, hindsight is often 20/20. But what’s better than hindsight? Foresight. This allows you to prepare for a particular event rather than merely apply the lessons learned from a past cyberattack the next time around.

Unfortunately, depending on the significance of the attack, there may not be a next time. For an example of the consequences of Internet of Things (IoT) and Telnet, look no further than the recent record-shattering distributed denial-of-service (DDoS) attack against domain name provider Dyn, which used the Mirai IoT botnet.

Cybercriminals Capitalize on IoT and Telnet

In the report titled “Beware of Older Cyber Attacks,” IBM warned that one of the oldest protocols for accessing remote computers, Telnet, could enable attackers to access IoT devices without authorization. Then, in September, a large DDoS attack targeted popular security news site KrebsOnSecurity. Initial reports indicated that an IoT botnet could have been involved.

When the source code for the known Mirai botnet leaked in early October, we figured it would only be a matter of time before cybercriminals found a way to capitalize on its use of the IoT and Telnet to take down websites via a DDoS attack.

On Friday, Oct. 21, Dyn fell victim to one of the largest cyberattacks on record. The attack disrupted internet access across the U.S. to major sites including Twitter, Netflix and Amazon. The attack most likely used tens of millions of webcams, home automation devices, wireless routers and internet-enabled appliances.

Because these devices usually come with factory-supplied passwords that consumers typically do not change, they are easy to infect. Telnet does not encrypt communications, enabling attackers to access user IDs and passwords.

The Mirai Effect

According to IBM X-Force research, the Mirai command-and-control (C&C) server leveraged the Telnet service to acquire bots using a scanner that can quickly identify any device listening on TCP port 23. There have also been reports of Mirai using port 2323, which is officially registered by the Internet Assigned Numbers Authority (IANA) for 3d-nfsd.

Inside the source code is a file called scanner.c, which the bot uses to perform brute-force scanning of a select set of IP ranges. This allows the bot to find additional hosts it can acquire by initiating a discovery scan against it. Once the scanner finds an open Telnet port, it performs a dictionary-based brute-force attack against the host. The scanner also checks to see if it can directly connect to Telnet with default credentials.

Once access is established, the bot verifies the login to the new device. When properly authenticated, the host then reports its IP address, port and authentication credentials back to the C&C. Once a target is compromised, it is then fed further instructions to execute a DDoS attack. The device continues to perform its normal functions while it perpetrates the attack.

Rise in Telnet Attack Sources

IBM Managed Security Services (MSS) data revealed a very interesting trend emerging over the last several months regarding the number of IP addresses attempting to either access or determine if the Telnet port is running. There was notable rise from May through July, and then the numbers jumped significantly from July to August — almost a 140 percent increase. Levels have remained relatively high through October.

There are a number of potential reasons for this increase. Certainly, Mirai played a role. However, not all the source IPs were associated with this particular botnet. When we analyzed IBM MSS security event data for a previous report, Telnet accounted for more than three-quarters of the sweep traffic. Clearly, attackers are looking for open Telnet ports. An attacker may do this as part of an effort to:

  • See if the login banner reveals something about the system and the entity that owns it.
  • Gain immediate access to the system if authentication isn’t required.
  • Try common default accounts, such as root/root, system/system, manager/manager or operator/operator, to gain unauthorized access.
  • Perform brute-force attacks to obtain passwords for common user or system accounts.

In other words, there are many bad actors out there who are interested in using Telnet to achieve their malicious goals.

Limit the Use of Telnet

While Telnet is no longer enabled by default in as many UNIX/Linux distributions as it once was, it still gets triggered by inexperienced administrators and can be enabled by default on many IoT devices. Additionally, some Telnet servers connected to the internet are running on systems ranging from Windows 10 all the way back to Windows XP.

Organizations should limit the use of Telnet in their IT environments. Disable Telnet if it is not necessary or replace it with a stronger counterpart, such as Secure Shell (SSH).

Preventing IoT Botnet DDoS Attacks

To remediate DDoS attacks, IT professionals must detect unusually high volumes of requests made by the internet-enabled devices and temporarily shut down access to them. Additionally, enterprises security teams should:

  • Perform device scanning and implement auditing software to detect factory-supplied passwords.
  • Review and implement security services that can detect both probing of Domain Name System (DNS), service providers and C&C activity, in which machines are operated by computer command.
  • Change the admin user ID and password when installing a new device. For older devices, go back and change these after rebooting the device.
  • Isolate IoT devices on protected networks and perform security testing.
  • Use enterprise firewalls, intrusion prevention systems, and identity and access management (IAM) solutions to implement access controls between IoT devices and IT resources.

Organizations must respond proactively to minimize damage. An incident response team is the single most important factor in reducing the cost of a data breach. Meanwhile, a managed web defense service can divert traffic from your environment during a DDoS attack, enabling your web properties to function normally.

Finally, continue to exchange and share information to gain foresight on threats to your environment.

More from Threat Intelligence

FYSA – Adobe Cold Fusion Path Traversal Vulnerability

2 min read - Summary Adobe has released a security bulletin (APSB24-107) addressing an arbitrary file system read vulnerability in ColdFusion, a web application server. The vulnerability, identified as CVE-2024-53961, can be exploited to read arbitrary files on the system, potentially leading to unauthorized access and data exposure. Threat Topography Threat Type: Arbitrary File System Read Industries Impacted: Technology, Software, and Web Development Geolocation: Global Environment Impact: Web servers running ColdFusion 2021 and 2023 are vulnerable Overview X-Force Incident Command is monitoring the disclosure…

Strela Stealer: Today’s invoice is tomorrow’s phish

12 min read - As of November 2024, IBM X-Force has tracked ongoing Hive0145 campaigns delivering Strela Stealer malware to victims throughout Europe - primarily Spain, Germany and Ukraine. The phishing emails used in these campaigns are real invoice notifications, which have been stolen through previously exfiltrated email credentials. Strela Stealer is designed to extract user credentials stored in Microsoft Outlook and Mozilla Thunderbird. During the past 18 months, the group tested various techniques to enhance its operation's effectiveness. Hive0145 is likely to be…

Hive0147 serving juicy Picanha with a side of Mekotio

17 min read - IBM X-Force tracks multiple threat actors operating within the flourishing Latin American (LATAM) threat landscape. X-Force has observed Hive0147 to be one of the most active threat groups operating in the region, targeting employee inboxes at scale, with a primary focus on phishing and malware distribution. After a 3-month break, Hive0147 returned in July with even larger campaign volumes, and the debut of a new malicious downloader X-Force named "Picanha,” likely under continued development, deploying the Mekotio banking trojan. Hive0147…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today