Over 515,000 servers, routers and IoT (Internet of Things) smart devices had their Telnet credentials published in a massive list by a hacker this week.
Telnet is a remote access protocol service that can be used to control devices using the internet. The list, published on a popular hacking forum, reveals the IP address as well as the username and password for the Telnet service.
According to a statement from the hacker himself who leaked the information as well as experts in the field that ZDNet spoke with, the list was put together by going through the entire internet for devices that exposed their Telnet port. The hacker then tried either to use factory-set default username ids and passwords or customized but easy-to-guess password combinations.
This kind of list, referred to as a ‘bot list’ are a common element of an IoT ‘botnet’ operation. A bot is short for robot and is a self-contained program on the internet that can interact with users such as a player especially in adventure games. Wikipedia says that a botnet is “several Internet-connected devices each of which is running one or more bots. Botnets can be used to perform distributed denial-of-service attack (DDoS attack), steal data, or send spam, and allows the attacker to access the device and its connection.”
Although a few of these bonnet lists have been leaked online in the past, usually they are kept private. According to ZDNet this current published list is the largest leak of Telnet passwords to date.
The list was published online by someone who maintains a DDoS-for-hire service. It happened he said when he upgraded his DDoS service to a new model. The lists that were leaked are from October-November of 2019. It’s possible that some of the devices are now running on a different IP address or are using different credentials to login.
ZDNet used IoT search engines such as BinaryEdge and Shodan and identified devices all over the world.
Even though users may have changed their IP addresses or passwords, the list is still useful to an expert hacker so there is still a danger of being hacked.
That’s because devices are usually clustered on one Internet Service Provider (ISP). So a hacker could use the IP address on the list, then figure out the service provider (ISP) then re-scan that information and update his list with the latest IP address.
Trusted and vetted security researchers received the credentials list from ZDNet and they in turn will notify ISP and server owners.