CyberSecurityBoard
Sponsor Register Login

VOIP-Based Botnet Attacking Routers Configured With Default Password

Security experts recommend organizations immediately audit Telnet exposure on VOIP-enabled systems, rotate or disable default credentials on edge devices, and implement dynamic IP blocking to defend against these coordinated attacks. All traffic from these compromised systems was Telnet-based, exhibiting characteristics consistent with botnet participation, including “Telnet Bruteforcer,” “Generic IoT Default Password Attempt,” and “Mirai” tags. The compromised devices shared common characteristics: Telnet login attempts using weak or default credentials, high session volumes, and scanning behavior aligned with known Mirai botnet variants. Using AI-powered analysis through their Model Context Protocol (MCP) server, researchers identified a unique network fingerprint: JA4t signature 5840_2-4-8-1-3_1460_1, which represented 90% of the malicious traffic. When GreyNoise researchers briefly mentioned the activity on social media, traffic from the New Mexico utility completely ceased, only to spike again shortly afterward, suggesting attackers actively monitor security community discussions. The discovery began when analysts noticed an unusual cluster of malicious IP addresses concentrated in rural New Mexico, leading to the identification of approximately 500 compromised devices worldwide. Some Cambium routers in the affected infrastructure may still be running firmware versions impacted by a remote code execution (RCE) vulnerability disclosed in 2017, though researchers could not confirm exploitation of that specific CVE. The analysis confirmed that many affected systems were VoIP-enabled devices, with hardware from Cambium Networks likely involved in portions of the campaign. These devices typically run older Linux-based firmware with Telnet services exposed by default, making them attractive targets for threat actors. Traced ~90 compromised devices in rural New Mexico to 500+ infected systems worldwide. This signature indicates similar hardware configurations across compromised hosts, suggesting coordinated targeting of specific device types.

This Cyber News was published on cybersecuritynews.com. Publication date: Sat, 26 Jul 2025 06:00:18 +0000


Cyber News related to VOIP-Based Botnet Attacking Routers Configured With Default Password

The 5 Best VoIP Routers (Wired, Wireless, and Mesh) - As a VoIP router, it has everything you need, including redundant WAN ports for failover and load balancing, country-based QoS to prioritize VoIP traffic, outage reporting, VLAN traffic separation, support for various VPN connections, and LTE backup ...
9 months ago Techrepublic.com
Feds Disrupt Botnet Used by Russian APT28 Hackers - Federal law enforcement kicked Russian state hackers off a botnet comprising at least hundreds of home office and small office routers that had been pulled together by a cybercriminal group and co-opted by the state-sponsored spies. APT28, an ...
1 year ago Securityboulevard.com Fancy Bear APT28 Volt Typhoon
Stealthy KV-botnet hijacks SOHO routers and VPN devices - The Chinese state-sponsored APT hacking group known as Volt Typhoon has been linked to a sophisticated botnet named 'KV-botnet' since at least 2022 to attack SOHO routers in high-value targets. Volt Typhoon commonly targets routers, firewalls, and ...
1 year ago Bleepingcomputer.com Volt Typhoon
FBI disrupts Moobot botnet used by Russian military hackers - The FBI took down a botnet of small office/home office routers used by Russia's Main Intelligence Directorate of the General Staff in spearphishing and credential theft attacks targeting the United States and its allies. This network of hundreds of ...
1 year ago Bleepingcomputer.com Fancy Bear APT28 Turla Volt Typhoon
Feds go Fancy Bear hunting, take down Russia's GRU botnet The Register - The US government today said it disrupted a botnet that Russia's GRU military intelligence unit used for phishing expeditions, spying, credential harvesting, and data theft against American and foreign governments and other strategic targets. Moobot ...
1 year ago Go.theregister.com Fancy Bear Volt Typhoon
US Gov Disrupts SOHO Router Botnet Used by Chinese APT Volt Typhoon - The US government on Wednesday announced a major takedown of a botnet full of end-of-life Cisco and Netgear routers after researchers warned it was being used by Chinese state-backed hackers as a covert communications channel. The disruption comes ...
1 year ago Securityweek.com Volt Typhoon
VOIP-Based Botnet Attacking Routers Configured With Default Password - Security experts recommend organizations immediately audit Telnet exposure on VOIP-enabled systems, rotate or disable default credentials on edge devices, and implement dynamic IP blocking to defend against these coordinated attacks. All traffic from ...
8 hours ago Cybersecuritynews.com
Malware botnet bricked 600,000 routers in mysterious 2023 event - A malware botnet named 'Pumpkin Eclipse' performed a mysterious destructive event in 2023 that destroyed 600,000 office/home office internet routers offline, disrupting customers' internet access. According to researchers at Lumen's Black Lotus Labs, ...
1 year ago Bleepingcomputer.com
Malware botnet bricked 600,000 routers in mysterious 2023 attack - A malware botnet named 'Pumpkin Eclipse' performed a mysterious destructive event in 2023 that destroyed 600,000 office/home office internet routers offline, disrupting customers' internet access. According to researchers at Lumen's Black Lotus Labs, ...
1 year ago Bleepingcomputer.com
Massive 911 S5 Botnet Dismantled, Chinese Mastermind Arrested - The US Justice Department announced on Wednesday that the massive 911 S5 proxy botnet has been dismantled and its alleged administrator, a Chinese national, has been arrested. The Treasury Department earlier this week announced sanctions against ...
1 year ago Packetstormsecurity.com
"Largest Botnet Ever" Disrupted. 911 S5's Alleged Mastermind Arrested - A vast network of millions of compromised computers, being used to facilitate a wide range of cybercrime, has been disrupted by a multinational law enforcement operation. 35-year-old YunHe Wang, a dual citizen of China and St. Kitts and Nevis, is ...
1 year ago Tripwire.com
New Vo1d botnet variant infects 1.6 million Android TVs worldwide - A new variant of the Vo1d malware botnet has infected 1,590,299 Android TV devices across 226 countries, recruiting devices as part of anonymous proxy server networks. The Vo1d botnet is a multi-purpose cybercrime tool that turns compromised devices ...
4 months ago Bleepingcomputer.com
Vo1d malware botnet grows to 1.6 million Android TVs worldwide - A new variant of the Vo1d malware botnet has grown to 1,590,299 infected Android TV devices across 226 countries, recruiting devices as part of anonymous proxy server networks. The Vo1d botnet is a multi-purpose cybercrime tool that turns compromised ...
4 months ago Bleepingcomputer.com
New botnet malware exploits two zero-days to infect NVRs and routers - A new Mirai-based malware botnet named 'InfectedSlurs' has been exploiting two zero-day remote code execution vulnerabilities to infect routers and video recorder devices. The malware hijacks the devices to make them part of its DDoS swarm, ...
1 year ago Bleepingcomputer.com
Botnet Struck U.S. Routers; Here's How to Keep Employees Safe - State-sponsored hackers affiliated with China have targeted small office/home office routers in the U.S. in a wide-ranging botnet attack, Federal Bureau of Investigation Director Christopher Wray announced on Wednesday, Jan. 31. Most of the affected ...
1 year ago Techrepublic.com Volt Typhoon
Volt Typhoon-Linked SOHO Botnet Infects Multiple US Gov't Entities - Researchers have discovered an Internet of Things botnet linked with attacks against multiple US government and communications organizations. It comes built with a series of stealth mechanisms and the ability to spread further into local area ...
1 year ago Darkreading.com Volt Typhoon
Previously unidentified botnet infects unpatched TP-Link Archer home routers | The Record from Recorded Future News - Cato Networks found some evidence that the threat actor involved deploys tools to potentially steal data from infected networks.The IP address tied to the threat actor is no longer responding, the researchers said, adding that they have found a new ...
4 months ago Therecord.media CVE-2023-1389
Best Password Generators of 2024 to Secure Your Accounts - Overview of best password generators to secure online accounts. We have various password generators to help us protect our accounts and practical barriers to protect our sensitive information. We have compiled this list of the best password ...
1 year ago Cyberdefensemagazine.com
QNAP VioStor NVR vulnerability actively exploited by malware botnet - A Mirai-based botnet named 'InfectedSlurs' is exploiting a remote code execution vulnerability in QNAP VioStor NVR devices to hijack and make them part of its DDoS swarm. The botnet was discovered by Akamai's Security Intelligence Response Team in ...
1 year ago Bleepingcomputer.com CVE-2023-49897 CVE-2023-47565
Chinese APT Volt Typhoon Linked to Unkillable SOHO Router Botnet - Malware hunters in the United States have set eyes on an impossible to kill botnet packed with end-of-life SOHO routers serving as a covert data transfer network for Volt Typhoon, a Chinese government-backed hacking group previously caught targeting ...
1 year ago Securityweek.com Volt Typhoon Hunters
Chinese APT Volt Typhoon Linked to Unkillable SOHO Router Botnet - Malware hunters in the United States have set eyes on an impossible to kill botnet packed with end-of-life SOHO routers serving as a covert data transfer network for Volt Typhoon, a Chinese government-backed hacking group previously caught targeting ...
1 year ago Packetstormsecurity.com Volt Typhoon Hunters
DrayTek Routers at Risk From 14 New Vulnerabilities - The advice comes amid signs of growing threat actor activity — including by nation-state actors — targeting vulnerabilities in routers and other network devices from DrayTek and a variety of other vendors, including Fortinet, F5, QNAP, Ivanti, ...
9 months ago Darkreading.com CVE-2024-41592 CVE-2024-41585 CVE-2021-20123 CVE-2021-20124
FBI: End-of-life routers hacked for cybercrime proxy networks - In a related bulletin, the agency confirms that many of these routers are infected with a variant of the "TheMoon" malware, which enables threat actors to configure them as proxies. The FBI warns that threat actors are deploying malware on ...
2 months ago Bleepingcomputer.com
RUBYCARP hackers linked to 10-year-old cryptomining botnet - A Romanian botnet group named 'RUBYCARP' is leveraging known vulnerabilities and performing brute force attacks to breach corporate networks and compromise servers for financial gain. According to a new report by Sysdig, RUBYCARP currently operates a ...
1 year ago Bleepingcomputer.com CVE-2021-3129
Stealthier version of P2Pinfect malware targets MIPS devices - The latest variants of the P2Pinfect botnet are now focusing on infecting devices with 32-bit MIPS processors, such as routers and IoT devices. Due to their efficiency and compact design, MIPS chips are prevalent in embedded systems like routers, ...
1 year ago Bleepingcomputer.com CVE-2022-0543

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)