Kaiji Malware Brute Forces Easy-to-Guess Username and Password Combinations for Successful Attacks

The so-called Internet of Things (IoT) revolution changed the online ecosystem in many different aspects, and cybersecurity is no exception. Hackers knew that smart gadgets and other IoT devices are little more than small computers with trimmed down (mostly Linux-based) operating systems, and they were determined to exploit this fact.

A few less-than-successful IoT threats appeared before Mirai hit the scene and completely re-wrote the record book when it comes to Distributed Denial of Service (DDoS) attacks. The botnet's colossal attacks were powerful enough to bring down large chunks of the internet in entire regions of the world, and they showed just how dangerous weaponized IoT gadgets could be. They also showed everybody how poor the state of IoT security is. You'd think that we'd have learned our lessons by now. You'd think that we'd have made our smart devices more difficult to hack. Well, you'd be wrong.

Kaiji – a brand new IoT malware family

A group of independent researchers going by the name MalwareMustDie recently stumbled upon Kaiji – a previously unreported strain of IoT malware. Although they hadn't heard of it before, the experts probably thought at first that the only new thing about the malware would be the name.

After Mirai's historic DDoS attacks, the security community and law enforcement agencies started hunting down the malware's authors. Eventually, the creators of the world's most powerful DDoS botnet were identified, but before that, Mirai's source code was leaked. Ever since then, virtually all IoT malware families that have set out to launch DDoS attacks have been based on Mirai. There are new names and new components, but the core is always pretty much identical, and it comes from the infamous Mirai.

Kaiji, however, was written from the ground up in Go Lang. Not a single line of code has been copied from anywhere else, which means that for the first time in a while, we have an IoT malware family that we can compare to Mirai. So, how does it stack up?

Is Kaiji the new Mirai?

The fact of the matter is, we don't know that much about Kaiji at the moment. Researchers from Intezer wrote a technical report on the new malware, which backs MalwareMustDie's suspicion that Kaiji was written by Chinese hackers. The malware is apparently prepared to launch several different types of DDoS attacks, but it would appear that it's still under development. At one point during the analysis, Intezer's researchers noticed that Kaiji was consuming too much RAM, and they later saw that portions of the Command & Control infrastructure were not operational – a clear indication that the malware authors still have some work to do.

They have picked their initial infection vector, however, and their decision can tell us a lot not only about Kaiji but about the entire IoT landscape.

New malware, old tricks

Kaiji infects new devices by brute-forcing their SSH login credentials. SSH is a network protocol that lets you remotely control other devices, and in many places, you'll see it described as much more secure than Telnet, the communication protocol Mirai uses to recruit smart gadgets. Indeed, one of the main differences is that SSH connections are encrypted, but in this particular case, this doesn't matter.

Both Mirai and Kaiji brute-force their way in which means that the attacks are aimed not at the protocols, but at the login credentials. The mere fact that these login credentials still present a valid infection vector speaks volumes about the state of IoT security. Kaiji and Mirai don't even exploit people's poor password management decisions. Instead, they take advantage of the fact that way too many devices still use default credentials.

The manufacturers of IoT gadgets release the devices on the market with easy-to-guess login credentials that could let anyone take control of them. Hoping that nobody would be interested in hacking these particular gadgets, vendors often fail to implement a way of updating the weak passwords, which makes an attack even more likely to succeed. Even if there is a password reset mechanism, users often can't be bothered to use it.

This was the case in 2016 when Mirai made its first marks, and it clearly is the case now, which goes to show that we haven't learned anything in the last four years.