Attackers Use Default Credentials to Target Enterprises, Top Raspberry Pi and Linux Targets

Findings from a Bulletproof report highlight the problem of poor security hygiene, as automated attacks remain a high security threat to enterprises. Research collected throughout 2021 has shown that 70% of total web activity is currently bot traffic.

As attackers increasingly deploy automated attack methods, default credentials are the most common passwords used by these malicious actors, effectively acting as a “skeleton key” for criminal access .

Default credentials providing an entry point for attackers

The research revealed that attackers constantly use and access servers with the same usual passwords. Some of them are default passwords that have not been changed since they were introduced by the company.

The main failed login attempts on the honeypot servers used the following credentials:

“On the list are the default Raspberry Pi credentials (un:pi/pwd:raspberry). There are over 200,000 machines on the internet running the standard Raspberry Pi operating system, making this a reasonable target for hackers. bad actors. We can also see what the credentials used on Linux machines look like (un:nproc/pwd:nproc). This highlights a key issue – the default credentials are still not changed,” said declared Brian WagnerCTO at Bulletproof.

“Using default credentials provides one of the easiest entry points for attackers, acting as a ‘skeleton key’ for multiple hacks. Using legitimate credentials can allow attackers to avoid detection and makes attack investigation and monitoring much more difficult.

A quarter of the passwords used by attackers today come from the December 2009 RockYou database leak. This level of activity indicates that these passwords remain viable.

Main passwords used in brute force attacks:

attackers using default credentials

More than 240,000 sessions

During the research, bad actors initiated over 240,000 sessions. The main IP, which connected from a German server, initiated over 915 sessions and spent a total of five hours on the Bulletproof honeypot. Another attacker spent 15 hours on the honeypot, successfully logging in 29 times with over 30 unique passwords.

In total, 54% of the more than 5,000 unique IP addresses had information suggesting that they were malicious IP addresses.

“A few milliseconds after a server comes online, it is already scanned by all kinds of entities. Botnets will target it and then a host of malicious traffic will be directed to the server,” Wagner continued. “Although some of our data shows that legitimate research companies scan the Internet, the largest proportion of the traffic we encountered to our honeypot came from malicious actors and compromised hosts.”

“This information, combined with our data, underscores the importance of proactive monitoring to ensure you are aware of the threats facing your business on a daily basis, as well as a proven incident response plan.”

About Jon Moses

Check Also

Secure your home assistant installation with a free SSL certificate

Available for Windows, macOS and Linux systems (including Raspberry Pi), the open source Home Assistant …