You may have already met Telnet and used it to logging on remote computers. Whatever your experience with Telnet is, you probably would not think of it for anything new.
Telnet has been replaced by SSH and SSH become de facto the standard for remote connectivity because it provides significantly higher security, encryption and many other benefits.
When we created our first honeypots for the some project, we started SSH and Telnet because both protocols offer interactive access to the console and are therefore very interesting for potential attackers. But SSH was, of course, our main goal - Telnet was a complementary function.
What was our surprise, however, when we found that honeypot traffic for Telnet is three times higher than SSH. Even though we compare some pears and apples, because in the case of Telnet we count the number of login attempts, and the number of commands given in SSH, the difference is equally enormous and is also apparent in other parameters, such as the number of unique IP addresses of the attackers.
Because our honeypots are being monitored for any exciting new activity, of course we were wondering what the reason for this phenomenon might be. Is it an increased activity of known attackers, or did new attackers appear? If this is the second option, where do the attackers take? The traffic spike began at the end of May 2016, but it is not such a significant change to explain the observed increase in traffic. It is clear, therefore, that new invaders had to appear.
The number of attackers jumped from about 30,000 unique IP addresses per day to more than 100,000, and despite a certain drop, they still keep values at least twice the previous values.
This meant something had to happen - either an entity (probably a botnet) previously inactive in Telnet scanning was activated, or an already existing botnet quickly picked up new members. In order to get a better idea of what has happened, we have done a more detailed analysis of the situation.
We first looked at the geographical origin of the attacks and how they changed over time. Obviously, with the exception of China, which was active earlier, most countries increased their activity at the same time.
Now we know where most of the attacks come from, but we are still not much closer to finding out what is actually attacking us.
In order to find out something else, we no longer just need to know the IP address of the attacker. In order to find out what's behind the given IP address, we could either actively scan it or use a third-party service. In this case, we chose the other option and used Shodan.io to get more information about the given IP address. From the data we obtained, we focused especially on the information that can be used to identify the type of product behind the given IP address. For this purpose, a particularly interesting item "Server:" from the HTTP header or similar services has appeared. We have obtained this value for more than 1.8 million IP addresses out of a total of approximately 6.5 million IP addresses, ie slightly over 27%.
Here, it should be noted that the specific value of the header does not determine a specific product, but rather a family of similar devices with the same or similar software. It is also possible that more than one of these services is running on one device.
First, we find the RomPager / 4.07 HTTP server, an old version of the HTTP server used in many home routers and other embedded devices that have been experiencing serious security flaws in the past. Secondly, gSOAP / 2.7, which is also an older version of the popular Web services toolkit, often used in embedded devices. H264DVR 1.0 is the identifier for the Real Time Streaming Protocol (RTSP) server used in networked DVRs such as security cameras, etc. It is clear from the names of other products that they are often embedded devices such as Dahua Rtsp Server, which again refers to CCTV cameras. Specifically, this product also had security issues in history.
It is clear from the above that at least among the devices that have been identified is a large number of built-in devices such as cameras, routers, and so on. These devices often have outdated software that has known security holes and the attacker can easily compromise a large number of devices with a single exploit. What we have not looked at yet is the question of whether these devices may be behind the recent increase in Telnet attacks.
We see the activity of the most frequently observed products, namely RomPager / 4.07 and gSOAP / 2.7. Both have seen a near-order increase in activity since May 2016. Even more interesting is the situation with H264DVR 1.0. In this case, we did not see much activity until April 2016, when suddenly 7,000 unique IP addresses appeared with this server, and after about one month they scanned the Telnet service. Then, the activity paused for a while to return in even stronger form, with the number of attacking devices rising to 20,000 unique IP addresses per day.
From the above, we can conclude that Telnet's increased attack activity was largely due to embedded devices. We can speculate that the attacker or attackers were able to deliberately attack these devices due to a known bug, and after their control, the botnet is trying to expand even further. What is even worse than the current number of infected devices is a trend.
At present, there are approximately 20,000 new attacking devices each day. Their composition is very similar to the overall picture we have seen above. Many of the newly recorded attackers are therefore built-in devices.
In fact, the situation for some of these products is such that the number of attacking devices is, for some types, a significant part of the total number of these devices visible on the Internet. The following chart is a copy of the chart above but also contains a comparison between the number of such devices recorded in our honeypot and the total number of such devices available on the Internet as recorded by Shondan.io. The most important is the H264DVR 1.0 server, where more than two-thirds of devices with this service are "infected".
In 2016, we saw a significant increase in Telnet honeypots. From available data, we came to the conclusion that many attempts to attack come from built-in devices such as CCTV cameras, routers, and so on. These devices are often easy prey because they often form a "monoculture" where many devices have the same equipment and vulnerabilities. It is very likely that an attacker specifically targets some of these devices to create a botnet. Even in some cases, it appears that a significant proportion of equipment of a particular type is already being attacked.
During our investigation, we managed to get one "infected" CCTV camera. In its firmware, we were unable to find any obvious traces of malware, which leads us to the preliminary conclusion that the attacks are carried out remotely without permanent changes to the firmware of the device. However, these results are preliminary and we will continue to investigate this case more deeply.
I suggest you think about which of your "smart" devices you can access from the Internet and consider whether you cannot restrict access to the firewall. No system is perfect and equipment with outdated software without regular patches is a security risk. It is very likely that what we observe with Telnet is just the tip of the glacier of what all the dangerous is happening on the Internet.
HUF 4,043 / Month
HUF 23,947 / Month