A new botnet malware named ‘Eleven11bot’ has infected over 86,000 IoT devices, primarily security cameras and network video recorders (NVRs), to conduct DDoS attacks.
The botnet, which is loosely linked to Iran, has already launched distributed denial of service (DDoS) attacks targeting telecommunication service providers and online gaming servers.
Eleven11bot was discovered by Nokia researchers who shared the details with the threat monitoring platform GreyNoise.
Nokia’s security researcher, Jérôme Meyer, commented that Eleven11bot is one of the largest DDoS botnets they have observed in recent years.
“Primarily composed of compromised webcams and Network Video Recorders (NVRs), this botnet has rapidly grown to exceed 30,000 devices,” stated Meyer on LinkedIn.
“Its size is exceptional among non-state actor botnets, making it one of the largest known DDoS botnet campaigns observed since the invasion of Ukraine in February 2022.”
Earlier today, threat monitoring platform The Shadowserver Foundation reported seeing 86,400 devices infected by the Eleven11bot botnet, with most in the United States, the United Kingdom, Mexico, Canada, and Australia.
Source: The Shadowserver Foundation
Meyer says the botnet’s attacks have reached several hundred million packets per second in volume, and their duration often spans multiple days.
GreyNoise, with the help of Censys, logged 1,400 IPs tied to the botnet’s operation in the past month, with 96% of them coming from real devices (not spoofed).
Source: GreyNoise
The majority of those IP addresses are based in Iran, while over three hundred are classified as malicious by GreyNoise.
GreyNoise reports that the malware is spread by brute-forcing weak or common admin user credentials, leveraging known default credentials for specific IoT models, and actively scanning networks for exposed Telnet and SSH ports.
GreyNoise has published a list of IP addresses linked to Eleven11bot and confirmed to carry malicious actions, so defenders are recommended to add this list to their blocklists and monitor for suspicious login attempts.
In general, it is advisable to ensure that all IoTs run the latest firmware version, have their remote access features disabled if not needed, and that the default admin account credentials have been changed with something strong and unique.
IoTs do not generally enjoy long-term support from their vendors, so periodically checking that your devices have not reached end-of-life (EOL) and replacing those that have with newer models is crucial.