A List Containing Login Information of 515,000 Devices Has Been Leaked Online

Cybersecurity news tends to be dominated by headline-grabbing ransomware outbreaks and crippling cryptojacking campaigns not only because these are among the most common types of attacks, but also because they make for great stories. There is another type of cybercrime, however, that can be just as destructive but is often left outside the mainstream media attention.

Distributed Denial of Service (often abbreviated as DDoS) attacks aren't especially spectacular, and you could argue that compared to ransomware, the recovery process DDoS victims must go through is much shorter and a lot less expensive. As the attack on DNS provider Dyn from October 2016 demonstrated, however, DDoS can be a very powerful weapon. Thanks to a list of login credentials that was leaked last week, using it could now be a lot easier.

A cybercriminal leaks more than half a million username and password combinations

ZDNet's Catalin Cimpanu reported on Sunday that an unnamed cybercriminal has used "a popular hacking forum" to dump a massive trove of login data. Spread across several TXT files, it contains the IP addresses and Telnet usernames and passwords that can allegedly allow cybercriminals to take over no fewer than 515 thousand internet-connected endpoints. Most of them are IoT devices.

Telnet, as some of you may remember, was also used by Mirai, the malware that collected a vast number of IoT gadgets into a massive botnet and used it to launch some of history's biggest DDoS attacks, including the one on Dyn. It's a woefully outdated communication protocol, and it has a few security vulnerabilities which make it inappropriate for use in this day and age. Nevertheless, IoT vendors continue to employ Telnet, and hackers need no second invitations.

The person that leaked the 515 thousand usernames and passwords told ZDNet that he had used the login data to recruit the devices into a botnet, which he then rented out to other cybercriminals for the purpose of launching DDoS attacks. This type of business is pretty popular in the cyber underground, and some criminals are making a pretty penny out of it, while others end up behind bars.

The person that leaked the 515 thousand username and password pairs didn't do it because he was afraid of getting in trouble, though. He did it because he'd upgraded his setup, and he no longer needed the data. Apparently, he believes that his business is successful because he told ZDNet that from now on, his DDoS-for-hire service would rely on high-output servers rented from cloud service providers.

The abuse departments of the said cloud providers may want to pay closer attention to who is using their servers from now on because the upgrade from IoT devices to seriously powerful hardware is going to make for much more substantial DDoS attacks. In the meantime, we need to get back to the leaked credentials and see what sort of damage they can make.

How dangerous can the leaked usernames and passwords be?

As we mentioned already, the list of IPs, usernames, and passwords was published on a hacking forum, which means that wannabe cybercriminals who plan on launching a DDoS attack don't even need to go to the so-called dark web or pay any money to get what they need. Things might not be as simple as that, though.

After discovering the data, Catalin Cimpanu downloaded it, but for legal reasons, he decided not to confirm its validity by logging into unsuspecting people's devices. It must be said, however, that at least some of the credentials and IP addresses may no longer be usable. Furthermore, Cimpanu has shared the information with security researchers who are in the process of discovering the owners of some of the IP addresses and informing them of the leak. In other words, it's difficult to say just how dangerous the exposed data is. What we do know for certain is how it ended up where it is right now.

Gathering the information that would allow the compromising of more than half a million devices didn't require any actual hacking. Getting the IPs is as easy as running a scan through a specialized search engine, and as for the usernames and passwords, there are two types of them. Some are the default credentials that the devices come out of the boxes with, and the rest are custom but easy-to-guess usernames and passwords that the owners of the devices have set.

This highlights the real issue. Many people argue that the proliferation of IoT devices is making DDoS attacks easier, but the truth is a tiny bit different. The problem doesn't lie with the increasing number of gadgets on our Wi-Fi network. It lies with the fact that we are unwilling and/or unable to secure them properly.