Site icon Sophos News

Knock and don’t run: the tale of the relentless hackerbots

If you have an IoT device in your home, you could be receiving an average of 13 login attempts to these devices per minute.

That’s what I found in my latest research project. Over the past 3 months, I’ve setup and monitored 10 honeypots located across 5 different continents. These have been waiting patiently for SSH login attempts to better understand how often you face cybercriminals knocking at your network’s metaphorical front door.

Once I’d set up the honeypots, it took no time at all for the hackers to begin their login attempts. In one instance, a device was attacked less than one minute after deployment, in others it took nearly two hours before login attempts began. But once the login attempts started, the attacks were relentless and continuous. In total, I saw more than 5 million attempted attacks on all my honeypots, over the 30-day period they were live.

But that wasn’t all I found.

Default usernames and passwords

The research revealed that a lot of the login attempts monitored on these honeypots were using default usernames and passwords of devices that the average person would find in their home.

I saw default username and password combinations for routers, CCTV cameras and NAS devices, and combinations like the username pi with the password raspberry popping up together many times over.

This is the default username and password combination for Raspbian, which is a distribution of Linux designed for the Raspberry Pi.

Why is my device online?

Maybe you’re reading this feeling safe, because your router, camera or other IOT device is safely tucked behind Network Address Translation (NAT), hidden from the outside world.

You might not be as safe as you think. Earlier this year, a hacker that goes by the name of TheHackerGiraffe proved that NAT provides us with a false sense of security when he/she found over 70,000 Chromecasts had made their way to the outside world and could be contacted by anyone.

TheHackerGiraffe took the liberty of playing an unwanted video on just over 65,000 of these devices.

Why is it that our home devices are popping up online?

The answer is Universal Plug and Play (UPnP).

UPnP in its current form is designed for convenience. It’s a system that makes it easier for home networking devices to talk to one another through a domestic router or gateway without the user having to do anything.

But the security issue with UPnP is one with the IOT vendors’ implementation. UPnP is implemented on almost all modern routers, and can automatically set up a rule to reveal your device to the internet (and everyone on it) through your NAT – something known as port forwarding.

Password patterns

We’ve mentioned before on Naked Security that the more random your password, the less likely it is to be guessed. But many of the password attempts on my honeypots follow a pattern.

1qaz2wsx and 1q2w3e4r were seen frequently in login attempts to all regions. Although, as a password these aren’t as obviously bad as qwerty, if you take a moment to look at your keyboard, you’ll see the correlation of letters and numbers is very tight.

These passwords have been used so frequently that they are near the top of the cybercriminals’ toolkit. In fact, 1qaz2wsx has been seen 756,613 times and 1q2w3e4r 631,071 times in data breaches, according to breach website Have I Been Pwned.

What to do?

How everyone can stay secure

  1. Change passwords from their default
  2. Use a complex and unique password for every service
  3. Use a password manager to keep track of passwords, so you only have to remember the manager’s master password
  4. Turn off UPnP on your home router

How to keep your business safe

  1. On SSH servers, use key-based authentication, not just a password
  2. Use fail2ban on Linux servers to limit the number of login attempts someone can make
  3. Use Sophos Antivirus for Linux (it’s free) to catch known payloads that are dropped by the adversary once they’re in

Want to learn more?

Read the full report: Exposed: Cyberattacks on Cloud Honeypots.

Exit mobile version