The Eleven11bot is a substantial botnet utilizing over 30,000 compromised security cameras for DDoS attacks, with over 60% of associated IP addresses traced to Iran. Security experts have noted its significant scale and impact, making it one of the largest botnet campaigns since the Russian invasion of Ukraine. Proactive security measures are crucial for individuals and organizations to protect against such threats.
The Eleven11bot is a newly uncovered botnet comprising over 30,000 compromised security cameras and network video recorders. It is actively engaged in launching distributed denial-of-service (DDoS) attacks against telecom providers and gaming platforms. Researchers from Nokia Deepfield and GreyNoise have been monitoring this botnet, which has been behind numerous brute-force attacks that exploit weak or default passwords on various Internet of Things (IoT) devices.
GreyNoise reports that more than 60% of the identified IP addresses related to Eleven11bot, totaling 1,042 IP addresses, are traced back to Iran. Although GreyNoise does not formally attribute the attacks to the Iranian government, they note that these attacks began occurring shortly after new sanctions were imposed by the Trump administration, which are a part of the broader “maximum pressure” campaign against Iran.
The operation scale of the Eleven11bot is significant, with security experts cautioning that it demonstrates remarkable strength and persistence. Jerome Meyer, a security researcher at Nokia Deepfield, characterized its scale as “exceptional among non-state actor botnets,” marking it as one of the largest DDoS botnet campaigns since the onset of the Russian invasion of Ukraine in February 2022. The botnet’s attack intensity can vary drastically, with reported packets per second ranging from hundreds of thousands to hundreds of millions.
Researchers at Censys have identified approximately 1,400 IP addresses potentially associated with Eleven11bot, while GreyNoise has detected 1,042 such IP addresses in the last 30 days. Alarmingly, a staggering 96% of these devices are categorized as non-spoofable, indicating they are genuine IoT devices. Additionally, GreyNoise revealed that Eleven11bot specifically targets certain brands of cameras, such as VStarcam, particularly due to hardcoded credentials making them susceptible to compromise.
To safeguard against Eleven11bot and similar threats, GreyNoise has proposed several recommendations:
1. Secure IoT Devices: Change default passwords, disable remote access, and regularly update device firmware.
2. Monitor Network Activity: Review network logs for any unusual login attempts, especially targeting Telnet and SSH through brute-force tactics.
3. Block Malicious Traffic: Limit traffic from identified malicious IP addresses to prevent further infiltration.
As cybercriminals increasingly target IoT devices, it is imperative for both organizations and individuals to take proactive measures to secure their networked devices and thwart potential exploitation by botnets such as Eleven11bot.
The emergence of the Eleven11bot signifies a credible threat due to its scale, operating strength, and the specific vulnerabilities it exploits within IoT devices. With a significant percentage of its targeted IPs traced back to Iran and its ability to launch intense DDoS attacks, proactive security measures are essential. By securing devices, monitoring networks, and blocking malicious traffic, the risks posed by such botnets can be mitigated effectively.
Original Source: irannewsupdate.com
