Interesting password attacks

We recently deployed a real-time threat detection system around a collection of servers at SFU. One interesting thing it does is collect the frequencies of user names and passwords tried against some of our systems.

Top Combos of the Month:

The winner for October of this year is the classic root:root. This combo likely wins most months, as it is a hallmark of unconfigured devices .  What all these passwords share is they are often the default passwords used on embedded devices such as routers and IoT devices. Just a quick reminder to never use the default password on your devices, especially if they have a world reachable IP address.

If we look a little deeper at the data we find that the targets change on a daily basis.

Take for example this one day slice. Many passwords are the same but today the #2 most common password is root:xmhdipc. That seems like a pretty unique password and we can figure out what the device by searching google for  what devices use that user/password pair.

Sure enough the affected device is a low-cost IP camera, which are widely sold. What are the attackers doing once granted access? It is likely these devices make perfect additions to DDoS botnets given the fact that they are often connected to fast internet connections.