New Eleven11bot Botnet Infects 86,000 Devices for DDoS Attacks
New Eleven11bot Botnet Infects 86,000 Devices for DDoS Attacks
New Eleven11bot Botnet Infects 86,000 Devices for DDoS Attacks
Summary:
A new botnet malware, dubbed 'Eleven11bot,' has infected over 86,000 IoT devices, primarily security cameras and network video recorders, to launch DDoS attacks against telecommunication providers and online gaming servers. Discovered by Nokia researchers, Eleven11bot is one of the largest DDoS botnets in recent years. Jérôme Meyer, a security researcher at Nokia, noted that the botnet's size is exceptional for non-state actor botnets, making it one of the largest DDoS campaigns since the Ukraine invasion in 2022. According to Meyer, the botnet's attacks have reached several hundred million packets per second and often last for multiple days.
Security Officer Comments:
According to security firm GreyNoise, Eleven11bot spreads by brute-forcing weak or commonly used admin credentials, exploiting default credentials for specific IoT models, and scanning networks for exposed Telnet and SSH ports. A majority of devices infected by the Eleven11bot botnet reside in the United States, followed by the United Kingdom, Mexico, Canada, and Australia. Within the past month, GreyNoise has logged 1,400 IPs tied to the botnet’s operation that have actively hit its sensors. Notably, 96% of these IPs are non-spoofable, meaning they originate from genuine, accessible devices. Furthermore, 61% of the 1,042 observed IPs have been traced back to Iran, with 305 IPs currently classified as malicious by GreyNoise
Suggested Corrections:
GreyNoise has published a list of IP addresses linked to Eleven11bot, which defenders can add to their blocklists and monitor for suspicious login attempts. To prevent the exploitation of unpatched vulnerabilities for initial access, IoT devices should be regularly updated. Additionally, to thwart brute-force attacks, default admin credentials should be replaced with strong, unique passwords. Since IoT devices often lack long-term vendor support, it's also important to periodically check for end-of-life status and replace outdated devices with newer models.
Link(s):
https://www.greynoise.io/blog/new-ddos-botnet-discovered
Summary:
A new botnet malware, dubbed 'Eleven11bot,' has infected over 86,000 IoT devices, primarily security cameras and network video recorders, to launch DDoS attacks against telecommunication providers and online gaming servers. Discovered by Nokia researchers, Eleven11bot is one of the largest DDoS botnets in recent years. Jérôme Meyer, a security researcher at Nokia, noted that the botnet's size is exceptional for non-state actor botnets, making it one of the largest DDoS campaigns since the Ukraine invasion in 2022. According to Meyer, the botnet's attacks have reached several hundred million packets per second and often last for multiple days.
Security Officer Comments:
According to security firm GreyNoise, Eleven11bot spreads by brute-forcing weak or commonly used admin credentials, exploiting default credentials for specific IoT models, and scanning networks for exposed Telnet and SSH ports. A majority of devices infected by the Eleven11bot botnet reside in the United States, followed by the United Kingdom, Mexico, Canada, and Australia. Within the past month, GreyNoise has logged 1,400 IPs tied to the botnet’s operation that have actively hit its sensors. Notably, 96% of these IPs are non-spoofable, meaning they originate from genuine, accessible devices. Furthermore, 61% of the 1,042 observed IPs have been traced back to Iran, with 305 IPs currently classified as malicious by GreyNoise
Suggested Corrections:
GreyNoise has published a list of IP addresses linked to Eleven11bot, which defenders can add to their blocklists and monitor for suspicious login attempts. To prevent the exploitation of unpatched vulnerabilities for initial access, IoT devices should be regularly updated. Additionally, to thwart brute-force attacks, default admin credentials should be replaced with strong, unique passwords. Since IoT devices often lack long-term vendor support, it's also important to periodically check for end-of-life status and replace outdated devices with newer models.
Link(s):
https://www.greynoise.io/blog/new-ddos-botnet-discovered