Connect with us

Hi, what are you looking for?



Over 500,000 IoT Devices Vulnerable to Mirai Botnet

Researchers have identified more than 500,000 vulnerable Internet of Things (IoT) devices that could easily be ensnared by Mirai or similar botnets.

Researchers have identified more than 500,000 vulnerable Internet of Things (IoT) devices that could easily be ensnared by Mirai or similar botnets.

Mirai and at least one other botnet were recently responsible for massive distributed denial-of-service (DDoS) attacks against the website of journalist Brian Krebs and hosting provider OVH. The attack on OVH was said to have exceeded 1Tbps.

Several security firms determined that these attacks were powered by a large number of compromised IoT devices, mainly cameras and DVRs, that had been protected by weak or default credentials.

The author of Mirai decided to release the source code of the malware, claiming that he had made enough money from his creation. The source code includes a list of 60 username and password combinations that the Mirai botnet has been using to hack IoT devices.

One of these credential sets is root/xc3511 and researchers from Flashpoint have determined that the devices associated with this username and password combination actually make up a significant portion of the Mirai botnet.

Experts reported that video surveillance products from Dahua Technology accounted for the highest percentage of compromised devices. However, Flashpoint traced many of the other hacked devices, which might not appear to be related at first sight, to a single vendor.

Many DVR, NVR and IP camera manufacturers get their hardware and software components from a China-based company called XiongMai Technologies. XiongMai ships vulnerable software that has ended up in at least half a million devices worldwide.

The fact that these devices can be accessed with default credentials should not pose a major risk as long as they are not accessible from the Internet. The problem is that the firmware provided by the Chinese manufacturer also includes a telnet service that is active by default and which allows easy remote access to the devices.

Advertisement. Scroll to continue reading.

To make matters even worse, the default credentials cannot be changed as they are hardcoded in the firmware and there are no options for disabling them. The telnet service is also difficult to disable.

An Internet scan conducted by Flashpoint using the Shodan search engine revealed that more than 500,000 devices are plagued by both vulnerabilities, making them an easy target for Mirai and other botnets.

The countries with the highest number of vulnerable devices are Vietnam (80,000), Brazil (62,000), Turkey (40,000), Taiwan (29,000), China (22,000), South Korea (21,000), Thailand (16,000), India (15,000) and the United Kingdom (14,000).

Flashpoint noted that while the Mirai botnet has ensnared many Dahua devices, a significant number of the IPs used in the recent DDoS attacks were traced back to XiongMai-based products.

Lead researcher Zach Wikholm told SecurityWeek that while Dahua accounted for 65 percent of infections in the United States, XiongMai devices accounted for nearly 70 percent in countries such as Turkey and Vietnam, where a lot of the attack traffic originated.

Wikholm also pointed out that the root/xc3511 credentials are first in Mirai’s list, which indicates that cybercriminals are aware that these devices are very popular.

Related: 150,000 IoT Devices Abused for Massive DDoS Attacks on OVH

Related: Weak Credentials Fuel IoT Botnets

Related: The IoT Sky is Falling – How Being Connected Makes Us Insecure

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how to utilize tools, controls, and design models needed to properly secure cloud environments.


Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.


People on the Move

SaaS security company AppOmni has hired Joel Wallenstrom as its General Manager.

FTI Consulting has appointed Brett Callow as Managing Director in its Cybersecurity & Data Privacy Communications practice.

Mobile security firm Zimperium has welcomed David Natker as its VP of Global Partners and Alliances.

More People On The Move

Expert Insights