A variant of IoT botnet, called Owari, that relies on default or weak credentials to hack insecure IoT devices was found itself using default credentials in its MySQL server integrated with command and control (C&C) server, allowing anyone to read/write their database.
Ankit Anubhav, the principal security researcher at IoT security firm NewSky Security, who found the botnets, published a blog post about his findings earlier today, detailing how the botnet authors themselves kept an incredibly week username and password combination for their C&C server's database.
Guess what the credentials could be?
These login credentials helped Anubhav gain access to the botnet and fetch details about infected devices, the botnet authors who control the botnet and also some of their customers (a.k.a. black box users), who have rented the botnet to launch DDoS attacks.
"Besides credentials, duration limit such as for how much time the user can perform the DDoS, maximum available bots for attack (-1 means the entire botnet army of the botmaster is available) and cooldown time (time interval between the two attack commands) can also be observed," Anubhav wrote.
Anubhav also found another botnet, which was also built with a version of Owari and its database was also exposed via weak credentials.
The C&C servers of both the botnets were located at 220.127.116.11 and 18.104.22.168, which are now offline, as "botnet operators are aware that their IPs will be flagged soon due to the bad network traffic," Anubhav wrote. "Hence to stay under the radar, they often voluntarily change attack IPs."