CCTV cameras? You’ve been looking in the wrong place
Security researchers have discovered a “missing link” in the Mirai botnet that may prompt a rethink in what makes up the zombie network.
The release of Mirai’s source code in early October revealed that malware scans for telnet before attempting to hack into devices, using a brute-force attack featuring 61 different user/password combinations.
Security researchers including Brian Krebs have been able to match this list, with a few exceptions, against the default credentials of various IoT devices. One view, espoused by DDoS mitigation outfit Imperva Incapsula, was that CCTV cameras made up the bulk of the zombie horde with DVRs and routers playing a supporting role.
New research casts further doubt on this diagnosis, already questioned by US telco Level 3, which estimated four in five Mirai bots are DVRs with the rest being routers and other miscellaneous devices, such as IP cameras and Linux servers.
UK-based security consultancy Pen Test Partners (PTP) discovered that a DVR device they recently bought was vulnerable to a previously unassigned credential pair on the Mirai hit list. “That means that the Mirai authors knew about the default credentials for this DVR, but no one else seemed to,” PTP reasons.
Some of the attributed devices were CCTV cameras, which generally offer less functionality than DVR devices and therefore might make them a less flexible attack platform. Looking deeper, PTP uncovered evidence that the conventional wisdom that Mirai is mostly CCTV cameras might be wrong.
“On further digging, we found that all the cameras we looked at were running near-identical code to the DVRs and ran the ‘dvrHelper’ process, as did the DVRs we looked at,” a blog post by PTP explains. “The reason the cameras were vulnerable is that they were running an uncustomised version of the DVR software, rather than being targeted specifically because they were cameras.”
A similar rationale has led PTP to posit that neither RealTek routers nor Panasonic printers are being exploited by Mirai. “Whilst the default creds are the same, it’s a coincidence,” according to PTP. “We think it’s more likely that the RealTek devices in question are from their DVR range, particularly as they are often rebadged and rebranded.
“Mirai is more to do with DVRs than CCTV cameras.
Some have claimed that they’ve seen Mirai traffic from devices that weren’t DVRs or cameras. We’ve been running a Mirai honeypot for some time. Whilst we’ve seen scans from routers and other devices attempting these same default credentials, none of them have then tried to exploit our honeypot in the same way as Mirai.
“We think it’s more likely that there is code out there that is similar to Mirai doing this, but it’s not Mirai.” ®
Sponsored: Customer Identity and Access Management