Security Experts:

Connect with us

Hi, what are you looking for?



Oops! Botnet Operators Use Default Credentials on Command and Control Server

Internet of Things (IoT) botnets prey on the use of default or weak credentials to compromise connected devices, but the operators of such a botnet also used default credentials in their operations.

Internet of Things (IoT) botnets prey on the use of default or weak credentials to compromise connected devices, but the operators of such a botnet also used default credentials in their operations.

As NewSky Security researchers recently discovered, the operators of the Mirai variant Owari botnet used default credentials on their command and control (C&C) server, thus allowing easy access their database.

First spotted in late 2016, Mirai was designed to target poorly secured devices to ensnare them into large distributed denial of service (DDoS) botnets. Ever since its source code leaked online, Mirai spawned numerous variants, such as Masuta, Satori, and Okiru, as well as the more recent Wicked, Sora, Owari, and Omni iterations.

What most of these variants inherit from Mirai, the security researchers say, is the use of a MySQL database server for C&C. This database, they reveal, contains three tables: users, history, and whitelist.

A recently observed Mirai variant named Owari is using this MySQL server structure, but its operators made the very same mistakes as the owners of the devices they targeted: they failed to properly secure the server.

Thus, NewSky Security stumbled upon an Owari server on IP 80(.)211(.)232(.)43, with port 3306, the default port for MySQL database, open to the Internet.

What’s more, the security researchers discovered that the attackers used the root:root username and password pair, “one of the weakest credentials known to mankind,” to secure the database, and also enabled read/write access to everyone.

As Dr. Vesselin Bontchev points out, it’s not that easy to make a MySQL database accessible from anywhere, nonetheless to secure it so poorly that anyone can connect to it.

Having access to the database, the security researchers glanced through the three tables. The users table contained login credentials (for both malware authors and customers), and information such as attack duration limits, maximum available bots, and cooldown time between commands.

“In the specific Owari case, we observe one user with duration limit of 3600 seconds with permissible bot usage set as -1 (maximum). It is to be noted that the credentials of all these botnet users are also weak,” the security researchers reveal.

The history table revealed details on attacks carried out against various IPs (some were IoT botnet related, suggesting that the attacker might have tried to target rival botnet operators), while the whitelist table was empty, suggesting that the botnet would attack any IP or device.

The security researchers also discovered that this was only one of the two Owari-related MySQL databases exposed to the Internet and secured with root:root, with the second one located at IP 80(.)211(.)45(.)89.

Unfortunately, although they gained write access to the MySQL databases, the researchers couldn’t disrupt the botnet, because C&C-related IPs usually have a short lifespan, as they tend to be flagged fast due to bad network traffic. Thus, they often change the IPs, and the two mentioned above are already offline.

Ankit Anubhav, Principal Researcher, NewSky Security, reveals that they decided to contact an Owari operator to ask about the revenue model, and learned that the cost of hiring the botnet is of $60 per month, which involves “around 600 seconds of bot time.” Because of that, the operator can “guarantee a stable bot count,” and can cover expenses with 10 to 15 customers each month.

 Related: “Wicked” Variant of Mirai Botnet Emerges

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack


Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.