Internet of Things (IoT) botnets prey on the use of default or weak credentials to compromise connected devices, but the operators of such a botnet also used default credentials in their operations.
As NewSky Security researchers recently discovered, the operators of the Mirai variant Owari botnet used default credentials on their command and control (C&C) server, thus allowing easy access their database.
First spotted in late 2016, Mirai was designed to target poorly secured devices to ensnare them into large distributed denial of service (DDoS) botnets. Ever since its source code leaked online, Mirai spawned numerous variants, such as Masuta, Satori, and Okiru, as well as the more recent Wicked, Sora, Owari, and Omni iterations.
What most of these variants inherit from Mirai, the security researchers say, is the use of a MySQL database server for C&C. This database, they reveal, contains three tables: users, history, and whitelist.
A recently observed Mirai variant named Owari is using this MySQL server structure, but its operators made the very same mistakes as the owners of the devices they targeted: they failed to properly secure the server.
Thus, NewSky Security stumbled upon an Owari server on IP 80(.)211(.)232(.)43, with port 3306, the default port for MySQL database, open to the Internet.
What’s more, the security researchers discovered that the attackers used the root:root username and password pair, “one of the weakest credentials known to mankind,” to secure the database, and also enabled read/write access to everyone.
As Dr. Vesselin Bontchev points out, it’s not that easy to make a MySQL database accessible from anywhere, nonetheless to secure it so poorly that anyone can connect to it.
Like, by default, MySQL listens only to localhost. If you really want to shoot yourself in the foot and access it over the Internet, it forces you to define *triplets* of user/password/host from which the database is accessible.
— Vess (@VessOnSecurity) June 4, 2018
Having access to the database, the security researchers glanced through the three tables. The users table contained login credentials (for both malware authors and customers), and information such as attack duration limits, maximum available bots, and cooldown time between commands.
“In the specific Owari case, we observe one user with duration limit of 3600 seconds with permissible bot usage set as -1 (maximum). It is to be noted that the credentials of all these botnet users are also weak,” the security researchers reveal.
The history table revealed details on attacks carried out against various IPs (some were IoT botnet related, suggesting that the attacker might have tried to target rival botnet operators), while the whitelist table was empty, suggesting that the botnet would attack any IP or device.
The security researchers also discovered that this was only one of the two Owari-related MySQL databases exposed to the Internet and secured with root:root, with the second one located at IP 80(.)211(.)45(.)89.
Unfortunately, although they gained write access to the MySQL databases, the researchers couldn’t disrupt the botnet, because C&C-related IPs usually have a short lifespan, as they tend to be flagged fast due to bad network traffic. Thus, they often change the IPs, and the two mentioned above are already offline.
Ankit Anubhav, Principal Researcher, NewSky Security, reveals that they decided to contact an Owari operator to ask about the revenue model, and learned that the cost of hiring the botnet is of $60 per month, which involves “around 600 seconds of bot time.” Because of that, the operator can “guarantee a stable bot count,” and can cover expenses with 10 to 15 customers each month.