Security experts have called on Raspberry and Linux users to change default passwords on their machines as new data revealed the extent of bot-driven attempts to hijack systems.
Cybersecurity vendor Bulletproof set up a series of honeypots in the public cloud to analyze the behavior of threat actors from November 2020 to November 2021.
It found that 70% of web traffic was comprised of bot activity, with default credentials the most common passwords used by bad actors to attempt access. Of the top failed default credential login attempts targeting the honeypots, Linux username and password “nproc” was in second, and the combo of “pi” and “raspberry” came eighth.
“This is not surprising as our research shows that there are well over 200,000 machines on the internet running the standard Raspberry Pi OS making it a decent number of systems to compromise. As the Raspberry Pi OS ships with default credentials (un:pi/pwd:raspberry) it’s low-hanging fruit for hackers. What this tells us is that even default passwords are not being changed,” the report claimed.
“A target for a cyber-attack could be as simple as an office display screen using the Raspberry Pi operating system. Hackers will generally focus their attention on easy targets first and Raspberry Pi devices are cheap, easy to setup, have out-of-the-box benefits and will likely be connected over a VPN or Wi-Fi. If setup incorrectly, they increase the attack surface, risking hackers taking full operational control, and expose sensitive areas of the business.”
When it came to brute-force attacks, among the most common passwords used by attackers were “1,” “admin,” “admin123” and “PASswoRD.”
Over the year of the research, threat actors initiated 240,000 sessions, according to Bulletproof.
“Within milliseconds of a server being put on the internet, it is already being scanned by all manner of entities,” said the firm’s CTO, Brian Wagner. “Although some of our data shows legitimate research companies scanning the internet, the greatest proportion of traffic we encountered to our honeypot came from threat actors and compromised hosts.”