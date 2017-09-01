When Johannes Ullrich, dean of research at the SANS Technology Institute, exposed a digital video recorder to the Internet he was probably expecting the worse to happen. His expectations were met, and then some. After being online for just 45 hours, the IoT device had been accessed more than 1,250 times by attackers using the correct login credentials. It should be pointed out that the DVR in the research was rigged to reboot every five minutes so as to allow all login attempts to be more accurately logged. This is because some of the malware that is installed by attackers will disable telnet post-infection in order to prevent other attackers exploiting the now pwned device. It's this that allowed the true scope of the attack to be logged: a successful credentials-based attack once every two minutes on average.

This won't come as any great surprise to those within the security research sector, as all IoT honeypot systems are attacked equally ferociously. Indeed, ever since the Mirai malware that seeks out and compromises IoT devices to build offensive botnets launched as the proof of concept that nobody wanted to see, so vendors have been reporting a flow of probing requests on ports 22, 23 and 2323 looking for default credentials.

What the SANS research also revealed, courtesy of the nearly 600 logged IPs that were known to the Shodan IoT discovery search engine, was the fact that attackers covered a broad swathe of the world map. Perhaps predictably, the threat actor hotspots appear to be China, South Korea, India and Brazil followed by Russia, the United States and Turkey. This pretty much matches the early geographic spread of Mirai activity. According to Ullrich "we see a pretty steady set of 100,000 to 150,000 sources participating in telnet scans. This problem isn't going away anytime soon."