VOIP-Based Botnet Attacking Routers Configured With Default Password

A sophisticated global botnet campaign targeting VOIP-enabled routers and devices configured with default credentials. 

The discovery began when analysts noticed an unusual cluster of malicious IP addresses concentrated in rural New Mexico, leading to the identification of approximately 500 compromised devices worldwide.

Key Takeaways
1. Hackers are exploiting VOIP routers with default Telnet passwords to build global botnets.
2. Traced ~90 compromised devices in rural New Mexico to 500+ infected systems worldwide.
3. Organizations with VOIP systems face an immediate threat from unpatched, internet-facing devices

Telnet Botnet Leveraging VoIP Devices

The investigation started when GreyNoise engineers detected ~90 malicious IP addresses originating from the Pueblo of Laguna Utility Authority in New Mexico, a region with just over 3,000 residents. 

All traffic from these compromised systems was Telnet-based, exhibiting characteristics consistent with botnet participation, including “Telnet Bruteforcer,” “Generic IoT Default Password Attempt,” and “Mirai” tags.

Using AI-powered analysis through their Model Context Protocol (MCP) server, researchers identified a unique network fingerprint: JA4t signature 5840_2-4-8-1-3_1460_1, which represented 90% of the malicious traffic. 

This signature indicates similar hardware configurations across compromised hosts, suggesting coordinated targeting of specific device types.

The analysis confirmed that many affected systems were VoIP-enabled devices, with hardware from Cambium Networks likely involved in portions of the campaign. 

These devices typically run older Linux-based firmware with Telnet services exposed by default, making them attractive targets for threat actors.

Researchers also identified approximately 500 IP addresses globally exhibiting similar behavioral patterns. 

The compromised devices shared common characteristics: Telnet login attempts using weak or default credentials, high session volumes, and scanning behavior aligned with known Mirai botnet variants.

VOIP devices present particularly attractive targets because they are frequently internet-facing, lightly monitored, and infrequently patched. 

Some Cambium routers in the affected infrastructure may still be running firmware versions impacted by a remote code execution (RCE) vulnerability disclosed in 2017, though researchers could not confirm exploitation of that specific CVE.

The campaign demonstrates how vulnerabilities remain part of the attack surface long after disclosure, with threat actors opportunistically targeting systems wherever available. 

When GreyNoise researchers briefly mentioned the activity on social media, traffic from the New Mexico utility completely ceased, only to spike again shortly afterward, suggesting attackers actively monitor security community discussions.

Security experts recommend organizations immediately audit Telnet exposure on VOIP-enabled systems, rotate or disable default credentials on edge devices, and implement dynamic IP blocking to defend against these coordinated attacks.

Experience faster, more accurate phishing detection and enhanced protection for your business with real-time sandbox analysis-> Try ANY.RUN now