Researchers looking into the Mirai botnet that has been used in two massive DDoS attacks in the last couple of weeks have discovered that many of the compromised IoT devices in the botnet include components from one Chinese manufacturer and have hardcoded credentials that can’t be changed.
The Mirai botnet is made up of a variety of IoT devices such as surveillance cameras and DVRs that have been compromised via Telnet. The malware that’s used in the botnet infects new devices by connecting to them over Telnet with default credentials and then installing itself on the device. Mirai has been used to attack journalist Brian Krebs’s site and also to hit hosting provider OVH. The two attacks were among the larger DDoS attacks ever seen in terms of traffic volume, with the OVH attack being in the range of 1 Tbps. The botnet has been operating for some time, but it has received a lot of attention after the two huge attacks and the subsequent release of the Mirai source code.
Now, researchers at Flashpoint have found that a large percentage of the devices in the Mirai botnet contain components manufactured by XiongMai Technologies, a Chinese company that sells products to many DVR and IP camera makers. The devices that use these components have a default username and password and attackers can log into them remotely.
“The issue with these particular devices is that a user cannot feasibly change this password. The password is hardcoded into the firmware, and the tools necessary to disable it are not present. Even worse, the web interface is not aware that these credentials even exist. Further exacerbating the issue, the Telnet service is also hardcoded into /etc/init.d/rcS (the primary service startup script), which is not easy to edit,” Zach Wikholm of Flashpoint wrote in a report on the company’s findings.
There’s also a separate vulnerability that allows attackers to bypass the web authentication mechanism that devices running XiongMai’s CMS or NetSurveillance software use.
“The login URL for the device, http://<IP_address_of_device>/Login.htm, prompts for a username and password. Once the user logs in, the URL does not change but instead loads a second page: DVR.htm. While researching CVE-2016-1000245, Flashpoint identified a vulnerability that the web authentication can be bypassed by navigating to DVR.htm prior to login. This vulnerability has been assigned CVE-2016-1000246. It should be noted, both vulnerabilities appear in the same devices. Any DVR, NVR or Camera running the web software ‘uc-httpd’, especially version 1.0.0 is potentially vulnerable. Out of those, any that have the ‘Expires: 0’ field in their server header are vulnerable to both,” Wikholm said.
The researchers found 515,000 devices online that have both vulnerabilities.