Followers of the Bach Seat know that passwords suck and now default passwords really suck. In fact, default passwords seem to be a key part of the massive DDOS attack that disabled large parts of the Internet on October 21, 2016. The cyberattack targeted Internet traffic company DYN. DYN provides DNS services for many high-profile sites. Some of the sites affected by the attack on Dyn included; Amazon (AMZN), Business Insider, New York Times, Reddit, and Twitter (TWTR).
Security researcher Brian Krebs, whose site, krebsonsecurity.com, was one of the first sites hit by a massive 620 GB/s DDoS attack, has reported the Mirai botnet was at the center of the attack on his site. CIO.com reports ‘Mirai’ can break into a wide range of Internet of Things (IoT) devices from CCTV cameras to DVRs to home networking equipment turning them into ‘bots. CIO reports a single Chinese vendor, Hangzhou Xiongmai Technology made many of the devices used in the Mirai attacks.
Level 3 Communications says there are nearly half a million Mirai-powered bots worldwide. To amass an IoT botnet, a Mirai bot herder scans a broad range of IP addresses, trying to login to devices using a list of default usernames and passwords that are baked into Mirai code, according to US-CERT. The Mirai zombie devices are largely security cameras, DVRs, and home routers. Mr. Krebs identified some of the specific devices.
Mirai Passwords
| Username | Password | Function |
|---|---|---|
| admin | 123456 | |
| root | 123456 | ACTi IP camera |
| admin | password | |
| admin1 | password | |
| root | password | |
| admin | 12345 | |
| root | 12345 | |
| guest | 12345 | |
| admin | 1234 | |
| root | 1234 | |
| administrator | 1234 | |
| 888888 | 888888 | |
| 666666 | 666666 | Dahua IP camera |
| admin | (none) | |
| admin | 1111 | Xerox printers, etc. |
| admin | 1111111 | Samsung IP camera |
| admin | 54321 | |
| admin | 7ujMko0admin | Dahua IP camera |
| admin | admin | |
| admin | admin1234 | |
| admin | meinsm | Mobotix network camera |
| admin | pass | |
| admin | smcadmin | SMC router |
| Administrator | admin | |
| guest | guest | |
| mother | fucker | |
| root | (none) | Viviotek IP camera |
| root | 00000000 | Panasonic printers |
| root | 1111 | |
| root | 54321 | Packet8 VoIP phone |
| root | 666666 | Dahua DVR |
| root | 7ujMko0admin | Dahua IP camera |
| root | 7ujMko0vizxv | Dahua IP camera |
| root | 888888 | Dahua DVR |
| root | admin | IPX-DDK network camera |
| root | anko | Anko Products DVR |
| root | default | |
| root | dreambox | Dreambox TV receiver |
| root | hi3518 | HiSilicon IP Camera |
| root | ikwb | Toshiba network camera |
| root | juantech | Guangzhou Juan Optical |
| root | jvbzd | HiSilicon IP Camera |
| root | klv123 | HiSilicon IP Camera |
| root | klv1234 | HiSilicon IP Camera |
| root | pass | |
| root | realtek | Realtek router |
| root | root | |
| root | system | IQinVision camera, etc. |
| root | user | |
| root | vizxv | Dahua camera |
| root | xc3511 | H.264 - Chinese DVR |
| root | xmhdipc | Senzhen Anran security camera |
| root | zlxx. | EV ZLX two way speaker |
| root | Zte521 | ZTE router |
| service | service | |
| supervisor | supervisor | VideoIQ |
| support | support | |
| tech | tech | |
| ubnt | ubnt | Ubiquiti AirOS Router |
| user | user |
US-CERT says the purported author of Mirai claims to have 380,000 IoT devices are under its control. Some estimate the botnet has generated greater than 1Tbps DDoS attacks.
When Mirai botnets are called upon to carry out DDoS attacks, they can draw on a range of tools including ACK, DNS, GRE, SYN, UDP and Simple Text Oriented Message Protocol (STOMP) floods, says Josh Shaul, vice president of web security for Akamai.
rb-
Followers of Bach Seat already know that many of the default passwords used by Mirai are among the worst and should have been changed already. They include:
- Password
- 123456
- 12345
- 1234
While reports say, Chinese vendor, XiongMai Technologies equipment was widely exploited, other notable tech firms are included. The Mirai zombie army includes equipment from Xerox (XRX), Toshiba (TOSBF), Samsung (005930), Panasonic (6752), and ZTE (763).
I wrote about security cameras being compromised as part of botnets back in July here.
Related articles
- Terabit-scale DDoS events are on the horizon (helpnetsecurity.com)
Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.