Hajime Botnet

The Hajime Botnet is a mysterious project that has been dormant for a long time, although its network keeps expanding rapidly. Cybersecurity researchers have determined that this is a modified variant of the Mirai botnet, and it once again targets Internet-of-Things (IoT) devices by taking advantage of various vulnerabilities:

• Exploiting the TR-069 NewNTPServer feature.
• Attacking default Telnet passwords.
• Attacking ARRIS cable modems using default credentials.

Due to the nature of the Hajime Botnet’s attack type, this botnet needs a simple check to see what sort of device architecture it has to work with. While other botnets may target particular devices and models, the Hajime Botnet is different since it can target pretty much any device connected to the Internet apart from the few networks that the operator has blacklisted. When the Hajime Botnet establishes a connection with a device, it checks its architecture and determines what binary it should download on the compromised machine to continue the attack.

To optimize the Telnet password bruteforcing efficiency of the Hajime Botnet, its operators have included a list of ‘Telnet Welcome Messages’ that their targets may use – if a specific welcome message is detected, the Hajime Botnet will first try to log in using the default credentials.

The good news about the Hajime Botnet is that its authors have added a short message to the configuration files used during the attack – they claim that their botnet is not being used for evil purposes and, instead, they are helping secure vulnerable systems. There is no way to know whether this is true or not, but the advice is to not take any risks – apply all pending firmware and software updates to your IoT devices, and use strong login credentials to reduce the risk of attacks like this one.