Providers of a DDoS service, who now operate their service with cloud servers instead of hacked routers, servers and IoT devices, have published access data and IP addresses of around 515,000 devices in a hacker forum. The accesses that were originally necessary to set up a Botnet were found by scanning the Internet for unencrypted access to the remote maintenance service Telnet. If Telnet accesses were found, a number of standard passwords were then tried out, which are used by major hardware manufacturers for delivery.
According to the post in the hacker forum, the list was created in October and November 2019 and is therefore relatively up-to-date. It is therefore to be expected that some of the devices can still be misused by unauthorized third parties over the Internet without much effort. Among other things, the information can be used to set up a new botnet, which can be used to send spam or for DDoS attacks, for example.
In addition, some devices can be infected via Telnet with malware that makes the devices unusable. Some hackers try to prevent other hackers from using these devices for their own purposes by selectively “turning off” easily attackable targets. A case from June 2019 is known in which the Silex malware rendered approximately 2,000 IoT devices unusable within a few hours, which were accessible via the Internet with standard passwords.
The so-called brickerbot (brick = block) is even said to have turned over two million devices into unusable “blocks” in 2017. This was done by overwriting drives and partitions with random data if the login with standard access data was successful. In the case of Silex, the firewall rules and network configuration were also deleted and the device was then switched off.