Attacks from over 120,000 unique IPs detected in June 2016

Sep 7, 2016 12:18 GMT  ·  By

There are at least 40,000 unique IP addresses launching brute-force attacks against Telnet ports on a daily basis, and most of these IPs belong to embedded and IoT devices.

Attacks against Telnet ports more than double the number of attacks on SSH ports, according to data collected by CZ.NIC from one of their honeypot servers.

The same data showed a sharp increase in attacks against Telnet ports starting with the end of May 2016, with the number of unique attackers going up from 40,000 IP addresses per day to around 120,000 in June and coming back down to 40,000 towards the end of August.

Most Telnet brute-force attacks came from routers, DVRs, and CCTV cameras

After analyzing the IP addresses at the origin of these attacks, researchers found that the vast majority came from countries such as China, Brazil, Vietnam, Turkey, Taiwan, Russia, India, South Korea, the US, and the Philippines.

Using Shodan to analyze a batch of IP addresses, researchers discovered that most of them came from embedded devices, such as routers, CCTV cameras, DVRs, and other devices that came equipped with various types of embedded web servers.

Some of these devices included high-profile vulnerabilities, such as the infamous Misfortunate Cookie bug that affected 12 million SOHO routers.

It was clear to researchers that the attacks didn't come from a C&C server, but from the botnet itself, to which the attacker was hoping to add the targeted honeypot server.

Self-spreading IoT botnets, the new norm

Self-spreading malware that creates IoT botnets has become a common occurrence in the past few months. For example, the recently discovered Mirai DDoS trojan, a variation of Gafgyt, uses Telnet brute-force attacks to compromise other devices and expand its size.

Similarly, the PhotoMiner crypto-currency mining worm also employs Telnet attacks, as well as all the variations of the LizardStresser DDoS tool released by the infamous Lizard Squad hacking crew.

A recent Level 3 report revealed that attackers have compromised over one million IoT and embedded devices in the past few months. Among the devices they listed were Dahua DVRs, one of the devices detected by CZ.NIC researchers as a primary source of Telnet attacks.

According to the graph below, 29.9 percent of all Dahua DVRs available online today were compromised and used to launch Telnet brute-force attacks. Similarly, 66.6 percent of devices using the embedded H264DVR web server appear to be compromised as well.

Attack sources (red = percentage of infected devices compared to the entire number of Internet-available devices)
Attack sources (red = percentage of infected devices compared to the entire number of Internet-available devices)

Photo Gallery (2 Images)

Telnet brute-force attacks on honeypot server
Attack sources (red = percentage of infected devices compared to the entire number of Internet-available devices)
Open gallery