A newly identified botnet, dubbed 'Eleven11bot,' has compromised over 86,000 Internet of Things (IoT) devices, including security cameras and network video recorders (NVRs), to execute distributed denial of service (DDoS) attacks. This botnet, which has potential connections to Iran, has already targeted telecommunication service providers and online gaming platforms.

Understanding the Eleven11bot Botnet

Researchers from Nokia discovered the Eleven11bot and shared their findings with GreyNoise, a threat monitoring platform. According to Nokia's security expert, the botnet is one of the largest observed in recent years, primarily consisting of compromised webcams and NVRs. The botnet's rapid expansion has seen it grow to over 30,000 devices, making it a significant threat among non-state actor botnets since early 2022.

Global Impact and Reach

The Shadowserver Foundation, a threat monitoring organization, reported that 86,400 devices are currently infected by Eleven11bot, with the majority located in the United States, United Kingdom, Mexico, Canada, and Australia. The botnet's attacks have reached volumes of several hundred million packets per second, often lasting for several days.

  • Key Impacted Regions: United States, United Kingdom, Mexico, Canada, Australia
  • Attack Volume: Hundreds of millions of packets per second

Technical Insights and Threat Mitigation

GreyNoise, in collaboration with Censys, identified 1,400 IP addresses associated with the botnet's operations in the past month, with 96% originating from real devices rather than spoofed ones. Most of these IPs are based in Iran, and over three hundred are classified as malicious.

Propagation and Defense Strategies

The malware spreads by brute-forcing weak or default admin credentials and scanning for exposed Telnet and SSH ports. GreyNoise has published a list of malicious IP addresses linked to Eleven11bot, recommending that defenders add these to their blocklists and monitor for suspicious login attempts.

  • Spread Method: Brute-forcing weak credentials, scanning for open ports
  • Defense Recommendations: Update firmware, disable unnecessary remote access, change default credentials
The link has been copied!