Hello, welcome to the Tuesday, August 29th, 2017 edition of the Sansonet Storm Center's Stormcast. My name is Johannes Ulrich.

And the I'm recording from Jacksonville, Florida. I did a little experiment late last week where I rigged my DVR that is vulnerable to the infamous Merai exploit to just reboot every five minutes

in order to allow it to be continuously exploited. So the export we're talking about here is

the default password for Root that is XC 3511.

And ever since Mirai sort of popularized that particular attack, we have seen a never-ending stream

of infected systems looking for more bots.

Now I call these attacks Mirai, it's really dozens of different botnets and variations of this

basic exploits that pretty much do the same thing.

They try a small number of popular passwords in order to take over these systems. Using my small business cable modem connection with 5 IP addresses, it took about two minutes

between exploits for this DVR.

So what this really comes down to is that these kind of exploits are still alive and well. As far as I can tell, based on some

Shodan data, the sources of these scans are pretty much other vulnerable systems that got

taken over by different botnets. Sadly, there's very little that the end user can do about this. For example, for the DBR that

I'm using, I still haven't found a firmware update yet, and there's nothing that you can do

configuration-wise in order to disable that backdoor password. So really, the only thing you can do

is put these devices behind a firewall.

And cross your fingers that we don't have anything behind the firewall that will start

scanning for this vulnerability. And Intel's management engine that's included in many modern systems has cost, of course,

some security concerns in the past, either via vulnerabilities or the ability to access systems

via this feature or just its use as a covert channel.

Now, given all of these security issues, of course,

a lot of people have looked into disabling this feature,

...