Security Experts:

Connect with us

Hi, what are you looking for?



Over 500,000 IoT Devices Vulnerable to Mirai Botnet

Researchers have identified more than 500,000 vulnerable Internet of Things (IoT) devices that could easily be ensnared by Mirai or similar botnets.

Researchers have identified more than 500,000 vulnerable Internet of Things (IoT) devices that could easily be ensnared by Mirai or similar botnets.

Mirai and at least one other botnet were recently responsible for massive distributed denial-of-service (DDoS) attacks against the website of journalist Brian Krebs and hosting provider OVH. The attack on OVH was said to have exceeded 1Tbps.

Several security firms determined that these attacks were powered by a large number of compromised IoT devices, mainly cameras and DVRs, that had been protected by weak or default credentials.

The author of Mirai decided to release the source code of the malware, claiming that he had made enough money from his creation. The source code includes a list of 60 username and password combinations that the Mirai botnet has been using to hack IoT devices.

One of these credential sets is root/xc3511 and researchers from Flashpoint have determined that the devices associated with this username and password combination actually make up a significant portion of the Mirai botnet.

Experts reported that video surveillance products from Dahua Technology accounted for the highest percentage of compromised devices. However, Flashpoint traced many of the other hacked devices, which might not appear to be related at first sight, to a single vendor.

Many DVR, NVR and IP camera manufacturers get their hardware and software components from a China-based company called XiongMai Technologies. XiongMai ships vulnerable software that has ended up in at least half a million devices worldwide.

The fact that these devices can be accessed with default credentials should not pose a major risk as long as they are not accessible from the Internet. The problem is that the firmware provided by the Chinese manufacturer also includes a telnet service that is active by default and which allows easy remote access to the devices.

To make matters even worse, the default credentials cannot be changed as they are hardcoded in the firmware and there are no options for disabling them. The telnet service is also difficult to disable.

An Internet scan conducted by Flashpoint using the Shodan search engine revealed that more than 500,000 devices are plagued by both vulnerabilities, making them an easy target for Mirai and other botnets.

The countries with the highest number of vulnerable devices are Vietnam (80,000), Brazil (62,000), Turkey (40,000), Taiwan (29,000), China (22,000), South Korea (21,000), Thailand (16,000), India (15,000) and the United Kingdom (14,000).

Flashpoint noted that while the Mirai botnet has ensnared many Dahua devices, a significant number of the IPs used in the recent DDoS attacks were traced back to XiongMai-based products.

Lead researcher Zach Wikholm told SecurityWeek that while Dahua accounted for 65 percent of infections in the United States, XiongMai devices accounted for nearly 70 percent in countries such as Turkey and Vietnam, where a lot of the attack traffic originated.

Wikholm also pointed out that the root/xc3511 credentials are first in Mirai’s list, which indicates that cybercriminals are aware that these devices are very popular.

Related: 150,000 IoT Devices Abused for Massive DDoS Attacks on OVH

Related: Weak Credentials Fuel IoT Botnets

Related: The IoT Sky is Falling – How Being Connected Makes Us Insecure

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.