The Eleven11bot is a sizable botnet comprising over 30,000 compromised security cameras, primarily targeting telecom and gaming platforms with DDoS attacks. Research indicates a significant connection to Iran, with over 60% of the botnet’s IP addresses traced there. Security professionals urge the adoption of protective measures to fortify IoT devices against exploitation by this botnet.
A newly discovered botnet known as Eleven11bot, comprising over 30,000 compromised security cameras and network video recorders, is actively launching distributed denial-of-service (DDoS) attacks against telecom providers and gaming platforms. Researchers from Nokia Deepfield and GreyNoise have been analyzing this botnet, which mainly conducts brute-force attacks on login systems by exploiting weak or default passwords associated with Internet of Things (IoT) devices.
Research indicates that Iran is a significant source of this botnet, with over 60% of the identified 1,042 IP addresses linked to Eleven11bot traced back to the nation. Though GreyNoise has not made formal attributions, it noted that the attacks began soon after the Trump administration imposed new sanctions on Iran, reinforcing the “maximum pressure” strategy in place.
Security experts emphasize that Eleven11bot is operating with notable strength and persistence. Jerome Meyer of Nokia Deepfield described the botnet’s scale as “exceptional among non-state actor botnets,” ranking it among the largest DDoS campaigns observed since the onset of the Russian invasion of Ukraine in February 2022. The rate of attack intensity varies widely, reportedly reaching between a few hundred thousand to several hundred million packets per second.
Censys researchers have tracked 1,400 IP addresses that may be associated with Eleven11bot, while GreyNoise reported 1,042 IPs engaged in attacks in the past month. Alarmingly, a vast 96% of these devices are categorized as non-spoofable, confirming their origin from genuine IoT devices. Furthermore, Eleven11bot is targeting specific camera brands, such as VStarcam, which possess hardcoded credentials rendering them particularly susceptible.
To combat the threat posed by Eleven11bot, GreyNoise suggests implementing several security measures. These include changing default passwords, disabling remote access, and ensuring firmware updates on IoT devices. Additionally, monitoring network activity for unusual login attempts is essential, as attackers often target Telnet and SSH credentials. Finally, organizations should block traffic from known malicious IP addresses to hinder further infiltration.
In conclusion, the Eleven11bot botnet represents a significant cybersecurity threat, leveraging compromised IoT devices, particularly security cameras, to conduct DDoS attacks. The predominance of Iranian IP addresses linked to this activity raises concerns regarding its geopolitical implications. To mitigate the risks associated with such botnets, it is crucial for organizations and individuals to enhance their online security measures and ensure the protection of their IoT devices.
Original Source: irannewsupdate.com
