Passwords like ‘1234’ are still one of the biggest threats in IoT/OT

Default login credentials—usernames like “admin” and “root,” and identical or easy-to-guess passwords like “password”—remain the method of choice for hackers to spread IoT botnets, according to recently released research by Nozomi Networks. What’s more, industrial control systems (ICS) widely used in critical infrastructure continue to be riddled with vulnerabilities, including the use of hard-coded credentials.

“It’s really alarming because you would think by now, everyone knows to always change default passwords,” Roya Gordon, security research evangelist at Nozomi, told IT Brew. “But when you think of IoT devices, it’s a little bit more difficult because those devices are more in bulk.”

“We’re seeing default credentials being a tactic that threat actors are using time and time again to access these devices,” Gordon added.

The IoT research was based on detections by honeypots set up by Nozomi researchers, who found many malicious IP addresses attempting tens of thousands of break-ins to the honeypot in the second half of 2022. The credentials most used by these break-in attempts include “nproc:nproc,” “admin:admin,” “admin:1234,” and “root:root.” Those were followed by the usernames admin and root without any password at all.

The top malicious single IP address tried to access the security firm’s honeypots over 7,000 times, and some of those IPs appeared to have been compromised stretching back to the first half of 2021, according to Gordon.

“What that means is that they maintain persistence,” Gordon said. “If, over a year, they’re using the same IP address, that means they could be compromising a legitimate device.”

A recent analysis by security firm SynSaber found that of over 920 critical vulnerabilities in ICS advisories issued by the Cybersecurity and Infrastructure Security Agency (CISA) in the second half of 2022, around 35% can’t be fixed even if operators of the equipment wanted to. That’s because vendors for those products have yet to release patches or remediation.

The Nozomi report examined 218 ICS advisories released by CISA in the second half of 2022. Among the top 10 vulnerabilities identified in the report are out-of-bounds writes and reads,  improper input validation and access control, missing authentication for critical functions, SQL injection, stack-based buffer overflows, and hard-coded credentials. The sectors most affected by the vulnerabilities were critical manufacturing, energy, and waste/wastewater systems.

The report also details anonymized ICS intrusion alerts from participating Nozomi clients, with cleartext passwords (2.46 million) and weak passwords (1.67 million) popping up as the most frequent intrusions detected by telemetry.

Gordon told IT Brew that another concerning finding of the report was that “hacktivist” groups—as opposed to financially motivated cybercriminals and nation state-backed threat actors—are increasingly mounting attacks with tools more destructive than distributed denial of service or simple breaches.

“In the near future, it’s not really going to matter if the threat actor is a hacktivist or a criminal,” Gordon said. “It’s good to know what their motive is, but at the end of the day, if critical infrastructure is going to get disrupted, does it really matter why they’re doing it? Or is the focus how do we secure our networks? Because it seems like they’re sharing tools.”—TM

Do you work in IT or have information about your IT department you want to share? Email [email protected]. Want to go encrypted? Ask Tom for his Signal.