IoT telnet leaks – Hacker exposes Telnet credentials for more than 500k Devices

March 7, 2020
iot devices telnet data leaks compromised data hackers hacker hacking

A hacker who runs a DDoS Service business from the Dark Web and across the criminal internet forums lately made the front page of the internet discussion through numerous tech-news site as he had published a list of IoT Telnet device credentials amounting to 515,000  devices that he had “cracked.” 

The list of exposed credentials was published on a popular internet forum site, includes the device’s IP addresses, usernames, and passwords, which were used for the Telnet service where IoT devices were used. It appears based on various sources and analysis; the list seems to have been generated by scanning the internet where the devices’ telnet port is exposed. The hacker cracked the username and password by guessing the credentials. Guessing the credentials would have started by using the device’s default username and password, or with customization but a not so hard to crack level of guessing in short, basic credential stuffing. 


Credential Stuffing

Credential stuffing is a well-known technique for security researchers and hackers to either test password security or as part of the hack itself. From web-based applications going to Telnet Credentials, password and username that are reused to gain access to devices is a simple trick in the book, yet an efficient way to crack a password-protected environment. This technique made it possible to turn IoT devices into zombies or botnet systems. 


Botnet Operation

After gathering enough devices from hacking into these poorly secured tools. These devices can become a vehicle for spreading malware to other users and devices on the network. For example, the hacker will install income-generating malicious software such as ransomware which will spread on the whole network.  This operation of the botnet system is not limited to launching DDoS attacks, it can also be used for malware distribution as mentioned above, spam, scams, phishing, identity theft, and network intrusion. 


Exposing the List

Usually, cyber-criminals keep these Botnet lists away from the public, but back in August 2017, the record of a 33,000 home owned router Telnet credentials were published online. To date, the latest leak is the largest known dump of IoT Telnet credentials. The size raises a critical alarm to security experts, as with such data no matter how these records changed, the IP Address can still be used to trace the latest changes done by finding out the service provider, and then rescan the ISP’s network to update the list with the current IP addresses. The technique mentioned is significant because the leaked data was collected last October to November 2019, where the data such as IP Addresses, usernames, and passwords coulhave already changed. 


Security Tips?

  • Stop using Telnet. You may use SSH (Secure Shell), which is a secure alternative 
  • Use a complex username and password on your IoT devices. 
  • Use secure cloud-based technology in your corporate network. 
  • Invest in improving IT Infrastructure. 
  • Don’t just “Plug and Play” your devices, make sure to secure them first.  


Take Down of the Record

It won’t be long now before the Telnet list will most likely be removed, however since it was Blackhat hacker that released the list, it is highly possible that several other users already backed it up and will republish it with a price tag. The black market on the Dark Web is full of such lists and will continue to provide this type of data, all the more reason why constant monitoring of the Dark Web is so important.  

About the author

Leave a Reply