Trusted Design

Defaulting on Passwords (Part 1): r0_bot

概要

Early in March, while studying the ChinaZ threat, it became readily apparent that default passwords were being used for more than just a supplementary attack vector. Several bots relied heavily, if not exclusively, on systems with weak and/or default passwords to spread. We setup a system with weak and default passwords to capture any and all malware spread in this fashion. For this first test, I selected 5 sets of passwords; admin/admin, guest/guest, ubnt/ubnt, cisco/cisco and ADMIN/ADMIN (the last for picking up folks scanning for Supermicro IPMI devices). Unsurprisingly, it took just under 3 hours for the first infection to hit. What did surprise us though was what password combination was first to be hit; ubnt/ubnt.

Created: 2026-02-23

Indicators

類似Pulses

Necurs Botnet Returns With Updated Locky Ransomware In Tow (score: 0.54)
Exploring a P2P Transient Botnet - From Discovery to Enumeration (score: 0.51)
MajikPOS Combines PoS Malware and RATs to Pull Off its Malicious Tricks (score: 0.50)
GamaPoS: The Andromeda Botnet Connection (score: 0.50)
Without Necurs, Locky Struggles (score: 0.50)

このPulseに関連する脅威アクター (事実ベース)

UNC3886

Score: 8.16

Matched TTPs:

T1689 - Downgrade Attack
T1564.013 - Bind Mounts

MITREへのリンク →

FIN13

Score: 3.62

Matched TTPs:

T1564.013 - Bind Mounts

MITREへのリンク →

Magic Hound

Score: 3.62

Matched TTPs:

T1564.013 - Bind Mounts

MITREへのリンク →

Ember Bear

Score: 6.14

Matched TTPs:

T1564.013 - Bind Mounts
T1097 - Pass the Ticket

MITREへのリンク →

APT38

Score: 6.14

Matched TTPs:

T1097 - Pass the Ticket
T1216 - System Script Proxy Execution

MITREへのリンク →

APT39

Score: 6.37

Matched TTPs:

T1097 - Pass the Ticket
T1599 - Network Boundary Bridging

MITREへのリンク →

APT28

Score: 7.06

Matched TTPs:

T1097 - Pass the Ticket
T1588.003 - Code Signing Certificates

MITREへのリンク →

Gamaredon Group

Score: 4.54

Matched TTPs:

T1061 - Graphical User Interface

MITREへのリンク →

APT42

Score: 3.84

Matched TTPs:

T1599 - Network Boundary Bridging

MITREへのリンク →

Storm-1811

Score: 3.84

Matched TTPs:

T1599 - Network Boundary Bridging

MITREへのリンク →

Mustang Panda

Score: 4.13

Matched TTPs:

T1055.005 - Thread Local Storage

MITREへのリンク →

Lazarus Group

Score: 7.75

Matched TTPs:

T1055.005 - Thread Local Storage
T1216 - System Script Proxy Execution

MITREへのリンク →

Axiom

Score: 4.54

Matched TTPs:

T1160 - Launch Daemon

MITREへのリンク →

APT37

Score: 3.62

Matched TTPs:

T1216 - System Script Proxy Execution

MITREへのリンク →

Medusa Group

Score: 3.62

Matched TTPs:

T1216 - System Script Proxy Execution

MITREへのリンク →

このPulseに関連する脅威アクター (推論ベース)

UNC3886

Score: 0.81

Matched TTPs:

T1689 - Downgrade Attack
T1564.013 - Bind Mounts

MITREへのリンク →

Lazarus Group

Score: 0.77

Matched TTPs:

T1055.005 - Thread Local Storage
T1216 - System Script Proxy Execution

MITREへのリンク →

APT28

Score: 0.72

Matched TTPs:

T1588.003 - Code Signing Certificates
T1097 - Pass the Ticket

MITREへのリンク →

APT39

Score: 0.63

Matched TTPs:

T1097 - Pass the Ticket
T1599 - Network Boundary Bridging

MITREへのリンク →

APT38

Score: 0.63

Matched TTPs:

T1216 - System Script Proxy Execution
T1097 - Pass the Ticket

MITREへのリンク →

Ember Bear

Score: 0.59

Matched TTPs:

T1097 - Pass the Ticket
T1564.013 - Bind Mounts

MITREへのリンク →

Related CVEs

このPulseに見つかったCVEはありません。

Pulse – 脅威アクターグラフ

← Pulse一覧に戻る