A new botnet malware named 'Eleven11bot' has infected over 86,000 IoT devices, primarily security cameras and network video recorders (NVRs), to conduct DDoS attacks. Earlier today, threat monitoring platform The Shadowserver Foundation reported seeing 86,400 devices infected by the Eleven11bot botnet, with most in the United States, the United Kingdom, Mexico, Canada, and Australia. GreyNoise reports that the malware is spread by brute-forcing weak or common admin user credentials, leveraging known default credentials for specific IoT models, and actively scanning networks for exposed Telnet and SSH ports. "Primarily composed of compromised webcams and Network Video Recorders (NVRs), this botnet has rapidly grown to exceed 30,000 devices," stated Meyer on LinkedIn. GreyNoise has published a list of IP addresses linked to Eleven11bot and confirmed to carry malicious actions, so defenders are recommended to add this list to their blocklists and monitor for suspicious login attempts. The botnet, which is loosely linked to Iran, has already launched distributed denial of service (DDoS) attacks targeting telecommunication service providers and online gaming servers. GreyNoise, with the help of Censys, logged 1,400 IPs tied to the botnet's operation in the past month, with 96% of them coming from real devices (not spoofed). Bill Toulas Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks. Meyer says the botnet's attacks have reached several hundred million packets per second in volume, and their duration often spans multiple days. In general, it is advisable to ensure that all IoTs run the latest firmware version, have their remote access features disabled if not needed, and that the default admin account credentials have been changed with something strong and unique. Nokia's security researcher, Jérôme Meyer, commented that Eleven11bot is one of the largest DDoS botnets they have observed in recent years. Eleven11bot was discovered by Nokia researchers who shared the details with the threat monitoring platform GreyNoise. IoTs do not generally enjoy long-term support from their vendors, so periodically checking that your devices have not reached end-of-life (EOL) and replacing those that have with newer models is crucial.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Tue, 04 Mar 2025 20:15:05 +0000