As reported by ZDNet, a hacker who seems to be a DDoS-for-hire (DDoS booter) service operator, has published a massive list of 515,000 Telnet credentials consisting passwords of servers, home routers, and IoT (Internet of Things) devices. The published list also includes IP address of each device along with a username and password of its Telnet service. Telnet is a remote access protocol that can be used to control devices over the internet.
The hacker compiled the leaked list by scanning the internet for devices exposing their Telnet port. He reportedly used two methods for finding the device credentials and generating the list:
- Factory-default usernames and passwords
- Custom, yet easy-to-guess password combinations
This list, which is also known as a bot list, is prepared after scanning the internet and is further used to connect to vulnerable devices and install various malware.
The hacker also told ZDNet that he upgraded his DDoS service that previously worked only on IoT botnets to a new model that relies on renting high-output servers from cloud service providers. All the credentials leaked are dated between October and November 2019.
Experts suggest that some of these devices might now have a different IP address, or its login credentials might be changed. A threat actor can use the IP addresses found in the leaked list, determine the name of the service provider, and then re-scan the ISP network to update the latest IP addresses list.
Server and router password security has long been a cybersecurity issue. Earlier, TP-Link’s Archer Router series, which is capable of handling high-speed online traffic, had a vulnerability that if exploited, could allow hackers to bypass the admin passwords and remotely take control of the devices. This vulnerability, tracked as CVE-2019-7405, was first discovered in TP-Link Archer C5 (v4) routers.
Grzegorz Wypych, a Senior Security Consultant at IBM X-Force Red said, “This was a zero-day flaw that was not previously reported and could affect both home and business environments. If exploited, this router vulnerability allowed a remote attacker to take control of the router’s configuration via Telnet on the local area network (LAN) and connect to a File Transfer Protocol (FTP) server through the LAN or wide area network (WAN).”
The vulnerability could be exploited by simply sending a character string longer than the allowed number of bytes through an HTTP request. This is also known as Password Overflow. The built-in validation checks the referrer’s HTTP headers; this tricked the TP-Link routers into believing that it is a valid HTTP request, making the password void and replacing it with an empty value.