• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Internet of Things   »   Mirai-like Scanning Activity Detected From China, With Targets in Brazil

Mirai-like Scanning Activity Detected From China, With Targets in Brazil

  • Posted on:April 11, 2018 at 12:58 am
  • Posted in:Internet of Things
  • Author:
    Trend Micro
0

by Trend Micro IoT Reputation Service Team

Our network monitoring system recently detected an enormous amount of Mirai-like scanning activity from China. From 1:00 p.m. UTC on March 31 to 12:00 a.m. UTC on April 3, our team detected an influx of activity coming from 3,423 IP addresses of scanners. Brazil appeared to be the target location of the scanning of networked devices, including routers and IP cameras.

Figure 1. Mirai-like scanning activity from China

Figure 1. Mirai-like scanning activity from China

This attack behavior is similar to that of the Mirai botnet. Its infection chain involves continuously searching the internet for potentially vulnerable devices and then using default credentials to hijack them. But this time, some new usernames and passwords were employed.

Figure 2. Scan behavior

Figure 2. Scan behavior

China-made routers and some new default credentials used

Usually, new username and password pairs indicate new targets. Some of the username and password pairs we found were the default settings of telecom home routers in China.

Figure 3. Default usernames and passwords used in the original Mirai botnet

Figure 3. Default usernames and passwords used in the original Mirai botnet

Examples included the telnetadmin:telnetadmin, e8telnet:e8telnet, and e8ehome:e8ehome pairs, which are used in the E-140W-P, HGU421v3, and E8C models, respectively. The scanner seemed to probe if there were any similar routers in Brazil.

Figure 4. Top 24 username and password combinations used in this operation

Figure 4. Top 24 username and password combinations used in this operation

Routers, IP cameras, and DVRs used to probe targets

We checked some of the scanner’s IP addresses in historical databases, and found 167 routers, 16 IP cameras, and four digital video recorders (DVRs) to be involved in the scanning activity. This result indicates that the botnet master used the compromised devices to probe the targets.

Figure 5. Login attempts to a broadband router

Figure 5. Login attempts to a broadband router

Most of the identified bot routers were Broadcom-based routers with default passwords. This finding checks out, considering that Broadcom is a leading home router software development kit (SDK) provider.

Figure 6. IP geographical distribution of top areas in China with scanning activity

Figure 6. IP geographical distribution of top areas in China with scanning activity

Trend Micro recommendations and solutions

Default passwords have been notorious for being taken advantage of by malicious actors to access vulnerable devices, and this particular threat that we just encountered is another case in point. We therefore reiterate our advice to device users to avoid using default passwords and easy-to-guess credential combinations. It’s best to refrain from using common words found in the dictionary, familiar names, or personally identifiable information (PII). We recommend using at least 15 characters and mixing uppercase and lowercase letters, numbers, and special characters for passwords.

In addition, owners of devices that connect to the internet of things (IoT) can implement network segmentation and isolate devices from public networks — restricting traffic to specific ports can also be an added measure. Manufacturers, for their part, also shoulder the responsibility of securing device users by ensuring that overarching security is implemented from the device to the cloud. This includes paying close attention to potentially vulnerable product components and delivering patches whenever needed.

In addition to carrying out our aforementioned best practices on securing IoT devices, users can look into employing security solutions that will be able to monitor internet traffic, identify potential attacks, and block any suspicious activities on devices connected to the network. Our IoT Reputation Service (IoTRS), provided by the cloud-based Trend Micro™ Smart Protection Network™ infrastructure and integrated into several Trend Micro IoT security solutions, has updated its real-time block list to offer relevant safeguards against this threat and other malicious web accesses and aberrant behaviors associated with smart devices, including home routers, DVRs, and networked security cameras.

Users of the Trend Micro Smart Home Network™ solution are also protected from this threat via these intrusion prevention rules:

  • 1134550 TELNET Default Password Login -24
  • 1134551 TELNET Default Password Login -25
  • 1134552 TELNET Default Password Login -26
  • 1133796 TELNET Default Credential Login Attempt -1

Related posts:

  • New Mirai Attack Attempts Detected in South America and North African Countries
  • Not Only Botnets: Hacking Group in Brazil Targets IoT Devices With Malware
  • The Reigning King of IP Camera Botnets and its Challengers
  • New Disdain Exploit Kit Detected in the Wild
Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: internet of thingsIOTMirai

Featured Stories

  • systemd Vulnerability Leads to Denial of Service on Linux
  • qkG Filecoder: Self-Replicating, Document-Encrypting Ransomware
  • Mitigating CVE-2017-5689, an Intel Management Engine Vulnerability
  • A Closer Look at North Korea’s Internet
  • From Cybercrime to Cyberpropaganda

Security Predictions for 2018

  • Attackers are banking on network vulnerabilities and inherent weaknesses to facilitate massive malware attacks, IoT hacks, and operational disruptions. The ever-shifting threats and increasingly expanding attack surface will challenge users and enterprises to catch up with their security.
    Read our security predictions for 2018.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Monero-Mining RETADUP Worm Goes Polymorphic, Gets an AutoHotKey Variant
  • XLoader Android Spyware and Banking Trojan Distributed via DNS Spoofing
  • XTRAT and DUNIHI Backdoors Bundled with Adwind in Spam Mails
  • Ransomware XIAOBA Repurposed as File Infector and Cryptocurrency Miner
  • Not Only Botnets: Hacking Group in Brazil Targets IoT Devices With Malware

Popular Posts

  • New MacOS Backdoor Linked to OceanLotus Found
  • Monero-Mining HiddenMiner Android Malware Can Potentially Cause Device Failure
  • ChessMaster Adds Updated Tools to Its Arsenal
  • Ransomware XIAOBA Repurposed as File Infector and Cryptocurrency Miner
  • Cryptocurrency Miner Distributed via PHP Weathermap Vulnerability, Targets Linux Servers

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.