The Eleven11bot botnet, comprising over 30,000 compromised devices, is conducting DDoS attacks primarily against telecom and gaming companies. More than 60% of its IP addresses are linked to Iran, and security experts have marked it as one of the largest botnet campaigns since early 2022. Recommended protective measures include securing IoT devices and monitoring network activity.
A recently detected botnet, termed Eleven11bot, consists of over 30,000 compromised security cameras and network video recorders, utilized for distributed denial-of-service (DDoS) attacks against telecom providers and gaming platforms. Security experts from Nokia Deepfield and GreyNoise report that this botnet carries out extensive brute-force attacks leveraging weak or default passwords on Internet of Things (IoT) devices.
GreyNoise indicates that more than 60% of the 1,042 identified IP addresses linked to Eleven11bot trace back to Iran. Although the researchers do not officially attribute the attacks, they note that these incidents began following the imposition of new sanctions on Iran by the Trump administration, emphasizing a relationship with the broader geopolitical context.
Experts express concern regarding the significant operational strength and persistence of Eleven11bot. Jerome Meyer, a security researcher at Nokia Deepfield, labels its scale as “exceptional among non-state actor botnets,” claiming it ranks among the largest known DDoS botnet campaigns since the onset of the Russian invasion of Ukraine in February 2022. The botnet’s attack frequency varies widely, generating anywhere from a few hundred thousand to several hundred million packets per second, as Meyer shared via LinkedIn.
In examining the botnet’s technical aspects, researchers at Censys identified 1,400 IP addresses potentially associated with Eleven11bot, while GreyNoise recorded 1,042 related IPs interacting with its systems in the past month. Disturbingly, 96% of these devices fall into the non-spoofable category, indicating they originate from legitimate and accessible IoT devices. Furthermore, GreyNoise has found that Eleven11bot is predominantly targeting specific camera brands, such as VStarcam, which have hardcoded credentials that make them particularly susceptible to exploitation.
To counter the threats posed by Eleven11bot, GreyNoise suggests implementing various security measures: 1) Secure IoT devices by changing default passwords, disabling remote access, and regularly updating firmware; 2) Monitor network activity by reviewing logs for anomalous login attempts, particularly focusing on Telnet and SSH protocols vulnerable to brute-force attacks; 3) Block malicious traffic from known harmful IP addresses to thwart further infiltration. Organizations and individuals are encouraged to take proactive steps to secure their networked devices and avoid potential exploitation by bots like Eleven11bot.
In summary, the Eleven11bot botnet poses a significant threat, utilizing a vast array of compromised security cameras and IoT devices for DDoS attacks. With a major portion of the identified IP addresses traced back to Iran, the geopolitical implications are noteworthy. The scale and intensity of this botnet’s activities demand urgent attention and proactive security measures to protect networked equipment from exploitation. Organizations are urged to implement comprehensive security practices to mitigate the risks associated with such cyber threats.
Original Source: irannewsupdate.com
