Dive Brief:
- A massive botnet comprising more than 30,000 hacked security cameras and network video recorders is being used to launch DDoS attacks against telecom providers and gaming platforms, according to security researchers from Nokia Deepfield and GreyNoise.
- The botnet, tracked as Eleven11bot, is being used to launch brute force attacks against login systems and exploiting weak and default passwords on IoT devices, according to GreyNoise.
- More than 60% of the 1,042 observed IP addresses have been traced to Iran, according to GreyNoise. The research firm does not formally make attributions, but it noted the attacks came days after the Trump administration imposed new sanctions on Iran, extending its “maximum pressure” campaign.
Dive Insight:
Researchers warn the botnet is engaged in sustained activity and is operating with considerable strength.
“Its size is exceptional among non-state actor botnets, making it one of the largest known DDoS botnet campaigns observed since the invasion of Ukraine in February 2022,” Jerome Meyer, a security researcher at Nokia Deepfield, wrote on LinkedIn.
The intensity of the botnet has varied from a few hundred thousand to several hundred million packets per second, Meyer said on LinkedIn.
Researchers at Censys provided a list of 1,400 IPs potentially linked to Eleven11bot. GreyNoise has seen 1,042 IPs hitting its sensors in the past 30 days. Researchers said 96% of the devices are non-spoofable, meaning they come from genuine, accessible devices.
GreyNoise warns the botnet is targeting specific camera brands, including VStarcam, that have with hardcoded credentials.
GreyNoise suggests several steps to protect against such activity:
- Secure IoT devices by changing passwords, disabling remote access and updating firmware.
- Monitor network logs for unusual logins as attackers are brute forcing Telnet and SSH credentials.
- Block traffic from known malicious IP addresses.