Users can now check whether their network is exposed to Mirai, one of the most prolific botnets to have targeted Internet of Things (IoT) devices this year.

The botnet was initially detailed in early September, but it became more popular in early October, when its author released the source code online. The malware, designed to harness the power of insecure IoT devices to launch distributed denial of service (DDoS) attacks, had been previously used in massive incidents targeting Brian Krebs' blog and hosting provider OVH.

With the primary purpose of IoT botnets being DDoS attacks, it’s no wonder that Akamai said that Mirai wasn’t alone in the 665 gigabit per second (Gbps) attempt to take down Krebs. However, security researchers reported that Mirai was increasingly used in DDoS incidents following the source code leak.

One such Mirai attack targeted DNS provider Dyn and disrupted popular websites such as Twitter, Etsy, GitHub, Soundcloud, PagerDuty, Spotify, Shopify, Airbnb, Intercom and Heroku. With infected devices in 164 countries and the use of Internet protocols that aren’t usually associated with DDoS attacks, such as STOMP floods, Mirai continues to wreak havoc. 

Because Mirai’s success is fueled by the existence of IoT devices that aren’t properly secured, it could be easily countered by simply changing the default credentials on vulnerable devices and by closing the Telnet port the botnet uses for infection. That, however, is an operation that users and network admins need to perform, but they might not always be aware of such an issue impacting them.

To help users determine whether their network is exposed to Mirai or not, IoT Defense Inc., a startup company based in the Washington DC Metro area, launched a web scanner that does exactly that: it searches for opened TCP ports and informs users whether they are safe or not. 

The IoT Defense scanner was written using a combination of Python, Node JS and Jade frameworks and scans for nearly a dozen ports that botnets can exploit. Accessing and using the scanner is free and little instructions are needed, as it does all with a simple click of a button.

The tool was designed to scan for ports such as File Transfer Protocol (FTP), Secure Shell (SSH), Telnet (both 23 and the alternative 2323), HTTP, HTTPS, Microsoft-SQL-Server, EtherNet/IP, Telnet (alternative), Microsoft Remote Desktop Protocol (RDP), Web Proxy, and Apache Tomcat SSL (HTTPS).

While not all of these ports are targeted by Mirai, a couple are, with the 2323 Telnet port being specifically attacked. The IoT botnet scans the Internet for exposed IoT devices such as routers, IP cameras, and DVRs, and, when it finds vulnerable devices, it attempts to login to them using a list of default login credentials.

This, however, is a behavior employed by other botnets as well. What’s more, while disinfecting a device compromised by Mirai is very easy, because a simple reboot would suffice, keeping the malware away from that device is more complicated. Because of constant scans, vulnerable IoT products are re-infected within minutes.

Device vendors are those who need to take action, because users rarely do so T. Roy, CEO, IoT Defense, told SecurityWeek via email. They should add in-field auto-updates to their devices, should use per device unique passwords (something that router manufacturers have already started implementing), and should not open up unnecessary ports.

Because their incentives are not aligned with device vendors, it’s clear that users might not be the ones to fix this issue. Users might not care – provided that they are aware of an issue – that their routers, IP cameras, or DVRs are used to DDoS websites and DNS providers. As long as the bandwidth usage doesn’t affect them, they are not disadvantaged, and T. Roy believes that one solution would be for ISPs to impose bandwidth caps.

A set of rules to impose stricter security of IoT devices would also be of help, and steps in this direction are already being taken, with the Department of Homeland Security (DHS) publishing its Strategic Principles for Securing the Internet of Things. The document includes six non-binding principles designed to provide security across the design, manufacturing and deployment of connected devices.

IoT Defense’s CEO also notes that IoT vendors need to have a servicing model in place, to resolve vulnerabilities in their devices when they are discovered. Just as it happens with many other products, vendors would be given a window to resolve the found issues or face consequences. However, he isn’t very optimistic about vendors actually taking stance.

“As of today, IoT device manufacturers have very little to show for security which always gets trumped by new features and time or market concerns. It is wishful thinking to expect device vendors to step up their game and make security and privacy key differentiators for their products,” T. Roy said.

Last year, Gartner said that the number of connected devices will grow above the 20 billion mark by 2020. Now, Juniper Research estimates that there will be 38.5 billion connected IoT devices by that year, and that 70% of these units are expected to be non-consumer devices. Should the level of insecurity within these devices remain the same, the consequences will be dire for consumers, enterprises, and vendors alike.

The good news, however, is that even today enterprises block inbound open external access over protocols such as Telnet and SSH, meaning that IoT devices within corporate environments aren’t exposed. However, as Zscaler points out, these devices remain vulnerable nonetheless, and steps should be taken to defuse the situation, including automating the security and firmware updates and enforcing default password change at initial setup.

The issue at hand remains the existence of not only hundreds of thousands of IoT devices infected with Mirai, but also of hundreds of thousands more vulnerable to the botnet. More importantly, while the main purpose of IoT malware is the launch of DDoS attacks, cybercriminals have focused mainly on infecting complex devices, but could switch to simpler products such as smart toys, home appliances, wearables, and more, which would result in a flood of IoT malware all around us.

T. Roy agrees with that as well: “The day is not too far when Ransomware is going to straddle the boundary between the PC and the smart devices in the consumer's home. Unlike PC based ransomware where your pictures and videos are at stake, with everything being controlled by your smart devices your life and property are at stake.”

“Regulation will likely be the fix for IoT security,” F5 Networks evangelist David Holmes notes in a SecurityWeek column, citing Mikko Hypponen, Chief Risk Officer of F-Secure. However, he also explains that Internet security cannot be regulated like other manufacturing processes. Increasing awareness among users could also help resolve this issue, with the IoT Defense scanner being a small step in this direction.

view counter

Ionut Arghire is an international correspondent for SecurityWeek.

Previous Columns by Ionut Arghire:


SecurityWeek RSS Feed

Subscribers of UK-based MoDaCo, a forum specialising in smartphone news and reviews, have been unpleasantly surprised by notifications that the site and their account have been compromised.


But not all subscribers have been notified, and that’s because the alert didn’t come from the site admins, but from the Have I Been Pwnd? service. The service allows users to submit their email address, and notifies them when it’s found in data batches stolen in breaches.

According to the notification, MoDaCo suffered a data breach in January 2016, and the attacker made off with email and IP addresses, and usernames and passwords (stored as salted MD5 hashes) of nearly 880,000 subscribers.

The reason why MoDaCo hasn’t notified users of the breach is still unknown. MoDaCo founder Paul O’Brien promised to post an official statement about the incident later today, and reassured subscribers that all passwords are hashed and salted.

Security researcher Troy Hunt, who runs Have I Been Pwnd?, says that 70 percent of the email addresses exposed in this breach were already contained in data batches from previous breaches of other online services.

“With data that includes email and IP addresses, passwords and usernames, there’s nothing out of the ordinary there,” Mark James, IT Security Specialist at ESET, commented for Help Net Security.

“To be honest data breaches happen all the time, this particular one is causing a bit of a storm on their own forums as the users would like to have received notification from the owners first not through a third party site. Looking through the forum posts many of the users have not used the site for a while and were looking for means to delete their accounts. The problems of course are that when we create usernames and passwords on sites that reflect our current interests if we then move on or stop using those sites it’s sometimes difficult or almost impossible to delete those redundant accounts. This breach apparently happened in January 2016 (that needs to be confirmed officially) but at least the passwords were stored as salted MD5 hashes and not in plaintext.”

Help Net Security

If you’ve ever registered with ClixSense – and millions have – you can consider all your personal information shared with the service compromised.


The company behind the popular Paid To Click site has been breached, the site ( made to redirect to a gay porn site, its Microsoft Exchange server and webservers compromised, and an old database server containing users’ information pilfered some ten days ago.

The stolen information includes users’ name, email and IP address, home address, date of birth, sex, account balance, payment history, as well as their password in plaintext.

The company has confirmed the hack for Ars Technica, and had said that they have forced a password reset on all of its 6.6 million registered users.

Users who have reused the same password on other online accounts should change it there also, as well as be on the lookout for convincing phishing attempts by crooks using their stolen information.

It is a very realistic scenario, as the attackers are offering the account records for sale, along with emails exchanged by the company’s employees and the complete source code for the site.

They have released a sample of the stolen data, containing that of early users, as proof.

Unlike previous mega data breaches, this one is not old – the user database has been dumped earlier this month, so all the information contained in it should be up to date.

Of course, it’s possible that some users have entered incorrect information when asked, and given what’s happened, I say good on them.

“It has come to our attention that this hacker did get access to our database server for a short period of time. He was able to gain access to this not directly but instead through an old server we were no longer using that had a connection to our database server. (This server has since been terminated),” Clixsense explained in a post about the incident.

“He was able to copy most if not all of our users table, he ran some SQL code that changed the names on accounts to ‘hacked account’ and deleted many forum posts. He also set user balances to $ 0.00.”

After all that, the company had the nerve to say that the incident “has taught us that regardless of what you do to stay secure, it still may not be enough,” and that users’ “ClixSense account information is now much more secure.”

Nevermind that it should have been secure in the first place… Why was an old server that’s no longer in use still connected to their database server? And, for that matter, why did they store passwords in plain text? None of this inspires much confidence that they will “do” security better in the future.

But none of this matters much to the affected users: much of their personal info has been compromised, and there is no going back.

Help Net Security

Oracle Patches Record 276 Vulnerabilities with July Critical Patch Update

July 20, 2016 , 9:21 am

Cisco Acknowledges ASA Zero Day Exposed by ShadowBrokers

August 17, 2016 , 4:06 pm

Pokémon GO Spam, Ransomware, On the Rise

August 17, 2016 , 12:58 pm

ProjectSauron APT On Par With Equation, Flame, Duqu

August 8, 2016 , 1:40 pm

Miller, Valasek Deliver Final Car Hacking Talk

August 4, 2016 , 3:26 pm

Researchers Go Inside a Business Email Compromise Scam

August 4, 2016 , 10:00 am

Export-Grade Crypto Patching Improves

August 3, 2016 , 10:00 am

Kaspersky Lab Launches Bug Bounty Program

August 2, 2016 , 9:00 am

Threatpost News Wrap, July 29, 2016

July 29, 2016 , 10:45 am

KeySniffer Vulnerability Opens Wireless Keyboards to Snooping

July 26, 2016 , 9:30 am

Upcoming Tor Design Battles Hidden Services Snooping

July 25, 2016 , 3:51 pm

EFF Files Lawsuit Challenging DMCA’s Restrictions on Security Researchers

July 21, 2016 , 1:18 pm

Threatpost News Wrap, July 15, 2016

July 15, 2016 , 11:00 am

Academics Build Early-Warning Ransomware Detection System

July 14, 2016 , 1:05 pm

xDedic Hacked Server Market Resurfaces on Tor Domain

July 12, 2016 , 11:40 am

Conficker Used in New Wave of Hospital IoT Device Attacks

June 30, 2016 , 11:48 am

655,000 Healthcare Records Being Sold on Dark Web

June 28, 2016 , 10:00 am

Windows Zero Day Selling for $ 90,000

May 31, 2016 , 5:44 pm

Millions of Stolen MySpace, Tumblr Credentials Being Sold Online

May 31, 2016 , 1:37 pm

OTR Protocol Patched Against Remote Code Execution Flaw

March 10, 2016 , 10:23 am

Android KeyStore Encryption Scheme Broken, Researchers Say

July 7, 2016 , 11:52 am

Necurs Botnet is Back, Updated With Smarter Locky Variant

June 23, 2016 , 4:10 pm

Planes, Trains and Automobiles Increasingly in Cybercriminal’s Bullseye

June 29, 2016 , 8:19 am

WordPress Security Update Patches Two Dozen Flaws

June 23, 2016 , 8:00 am

Apple Leaves iOS 10 Beta Kernel Unencrypted: Pros and Cons

June 27, 2016 , 5:13 pm

Voter Database Leak Exposes 154 Million Sensitive Records

June 24, 2016 , 10:14 am

iOS 9.3.4 Patches Critical Code Execution Flaw

August 8, 2016 , 9:00 am

Threatpost | The first stop for security news

Vulnerabilities found by a researcher in smart thermostats developed by Trane could have been exploited by remote attackers to hack into the devices and perform various actions. The vendor has taken steps to address the security flaws.

Jeff Kitson, security researcher at Trustwave, started analyzing Trane ComfortLink XL850 thermostats in December 2015. The product provides energy consumption reporting features, SMS and email alerts, and allows customers to remotely adjust heating and cooling from their computer or mobile device.

The expert discovered that the product had a weak authentication mechanism and hardcoded credentials that could have been leveraged to access the device. The vulnerabilities could have been exploited over the network and even from the Internet if the thermostat had been exposed through the router.

Kitson said there had been 24 Internet-exposed devices in December, but the number increased to roughly 50 by the time of disclosure. Most of the affected devices are located in North America.

Once attackers gain access to the device, they can obtain information on the targeted home’s heating and cooling schedule, operation mode, chat and alarm history, URLs, secret IDs, and software version. Kitson believes schedule information taken from a thermostat can allow malicious actors to determine when a home or a commercial building is empty.

“What's more concerning than the information extraction is the fact that active commands are available that allow attackers to perform a number of dangerous operations. This includes forcing the device to maintain the maximum heating setting or disabling the device continuously thereby overriding user input,” the researcher said. “Attackers can also remove and create trusted server connections permanently disconnecting the device from the corporate command and control servers. The most obvious consequence of this would be overheating a building or damaging it by disabling the heat in winter conditions.”

Such attacks were also detailed on Sunday by two researchers at the Def Con hacking conference. Andrew Tierney and Ken Munro of Pen Test Partners created a proof-of-concept ransomware specifically designed to target smart thermostats. The malware takes control of the device and demands the payment of a ransom.

Kitson determined that version 3.1 and earlier of the firmware are affected when the device’s default configuration is not changed. The researcher initially encountered difficulties in reporting the issues to Trane, but he eventually reached the vendor, which patched the flaws and started pushing out automatic updates in early July.

This was not the first time researchers had found vulnerabilities in Trane thermostats. Earlier this year, Cisco disclosed several serious flaws its researchers discovered in Trane ComfortLink II XL950 products.

Related: Serious Vulnerabilities Found in Wireless Thermostats

view counter

Previous Columns by Eduard Kovacs:


SecurityWeek RSS Feed