Hacker ‘Subby’ compromises over 29 IoT botnets due to weak credentials

• The hacker carried out brute-forcing attacks on the Command and Control (C&C) servers to gain access to the IoT botnets.
• The hacker used a dictionary of usernames and a list of common passwords to brute-force C&C servers of the botnets that are using weak username-password combos such as root-root, admin-admin, oof-o0f, root-user-2019.

A hacker named Subby has compromised over 29 IoT botnets that were using default or weak credentials.

How did the hacker compromise the botnets?

The hacker carried out brute-forcing attacks on the Command and Control (C&C) servers to gain access to the IoT botnets.

The hacker, in an interview with Ankit Anubhav, a security researcher at NewSky Security, stated that he used a dictionary of usernames and a list of common passwords to brute-force C&C servers of the botnets that are using weak username-password combos such as root-root, admin-admin, oof-o0f, root-user2019.

“In addition to this, each C2 undergoes a random style password attack which continues up to 6 alphanumeric characters under the user 'root'. I change the user to something specific if I have prior knowledge of the C2. Each cracked password is added to the password list used when brute forcing the C2s in future,” Subby said.

What is the bot count?

Subby said that the initial bot count was 40,000, however, the actual count was 25,000 after removing the duplicates.

“I estimate the number to be closer to 25,000 unique devices. I was able to get a reliable network traffic graph produced of the traffic generated from all the botnets combined and it was just under 300gbit/s,” Subby said.

What is the reason for using weak/default credentials?

The hacker noted that most botnet operators are simply following tutorials on YouTube to set up their botnet, and they fail to reset the default credentials, thereby leaving their botnets vulnerable to brute-forcing.

Subby added that he attempted to compromise these IoT botnets to know how well brute forcing would work on C&C servers and whether it would be an efficient technique to compromise IoT devices.