Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



Over 500,000 IoT Devices Vulnerable to Mirai Botnet

Researchers have identified more than 500,000 vulnerable Internet of Things (IoT) devices that could easily be ensnared by Mirai or similar botnets.

Researchers have identified more than 500,000 vulnerable Internet of Things (IoT) devices that could easily be ensnared by Mirai or similar botnets.

Mirai and at least one other botnet were recently responsible for massive distributed denial-of-service (DDoS) attacks against the website of journalist Brian Krebs and hosting provider OVH. The attack on OVH was said to have exceeded 1Tbps.

Several security firms determined that these attacks were powered by a large number of compromised IoT devices, mainly cameras and DVRs, that had been protected by weak or default credentials.

The author of Mirai decided to release the source code of the malware, claiming that he had made enough money from his creation. The source code includes a list of 60 username and password combinations that the Mirai botnet has been using to hack IoT devices.

One of these credential sets is root/xc3511 and researchers from Flashpoint have determined that the devices associated with this username and password combination actually make up a significant portion of the Mirai botnet.

Experts reported that video surveillance products from Dahua Technology accounted for the highest percentage of compromised devices. However, Flashpoint traced many of the other hacked devices, which might not appear to be related at first sight, to a single vendor.

Many DVR, NVR and IP camera manufacturers get their hardware and software components from a China-based company called XiongMai Technologies. XiongMai ships vulnerable software that has ended up in at least half a million devices worldwide.

Advertisement. Scroll to continue reading.

The fact that these devices can be accessed with default credentials should not pose a major risk as long as they are not accessible from the Internet. The problem is that the firmware provided by the Chinese manufacturer also includes a telnet service that is active by default and which allows easy remote access to the devices.

To make matters even worse, the default credentials cannot be changed as they are hardcoded in the firmware and there are no options for disabling them. The telnet service is also difficult to disable.

An Internet scan conducted by Flashpoint using the Shodan search engine revealed that more than 500,000 devices are plagued by both vulnerabilities, making them an easy target for Mirai and other botnets.

The countries with the highest number of vulnerable devices are Vietnam (80,000), Brazil (62,000), Turkey (40,000), Taiwan (29,000), China (22,000), South Korea (21,000), Thailand (16,000), India (15,000) and the United Kingdom (14,000).

Flashpoint noted that while the Mirai botnet has ensnared many Dahua devices, a significant number of the IPs used in the recent DDoS attacks were traced back to XiongMai-based products.

Lead researcher Zach Wikholm told SecurityWeek that while Dahua accounted for 65 percent of infections in the United States, XiongMai devices accounted for nearly 70 percent in countries such as Turkey and Vietnam, where a lot of the attack traffic originated.

Wikholm also pointed out that the root/xc3511 credentials are first in Mirai’s list, which indicates that cybercriminals are aware that these devices are very popular.

Related: 150,000 IoT Devices Abused for Massive DDoS Attacks on OVH

Related: Weak Credentials Fuel IoT Botnets

Related: The IoT Sky is Falling – How Being Connected Makes Us Insecure

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.