IoT Devices with Open Telnet Ports Vulnerable after Credential Leak

An anonymous post on Pastebin that went unnoticed earlier this summer has resurfaced after a researcher named Ankit Anubhav discovered that the post contained usernames and passwords for 8,233 unique IP addresses, including 2,174 internet-of-things (IoT) devices with the Telnet service enabled. Telnet is a communication protocol that allows remote interactive access to networked devices and systems over TCP port 23. The list, which has since been removed, included IP addresses along with the associated devices’ default usernames and passwords, such as admin:admin and root:root. Of those devices running Telnet, 1,774 reportedly remain accessible using the default credentials included in the post. Telnet is one of several remote access configurations that malicious actors can exploit to gain unauthorized remote access to devices and add them to a botnet or take control of the device and potentially disrupt service or steal data. For more information on the risk of insecure remote access configurations, review the NJCCIC's threat analysis from August 17 titled, "Remote Access: Open Ports Create Targets of Opportunity, Undue Risk." The NJCCIC strongly recommends users and administrators determine if devices under their control have default credentials and change them immediately. Moreover, the NJCICC recommends all organizations audit their networks to identify servers and devices with ports 22 (SSH), 23 (Telnet), and 3389 (RDP) enabled. Once identified, immediately close port 23 on all systems as well as any unneeded SSH and RDP ports. If the availability of remote access is required, the NJCCIC recommends that organizations implement IPsec or SSL VPNs.