A newly identified botnet comprising over 30,000 compromised security cameras and network video recorders is being actively used to launch distributed denial-of-service (DDoS) attacks against telecom providers and gaming platforms. Security researchers from Nokia Deepfield and GreyNoise have been tracking this botnet, known as Eleven11bot, which is responsible for widespread brute-force attacks targeting login systems and exploiting weak or default passwords on Internet of Things (IoT) devices.
Iran Identified as a Major Source
According to GreyNoise, over 60% of the 1,042 identified IP addresses associated with Eleven11bot have been traced to Iran. While the research firm refrains from making formal attributions, it highlighted that the attacks emerged shortly after the Trump administration imposed new sanctions on Iran, reinforcing its “maximum pressure” campaign.
Scale and Impact of the Botnet
Security experts warn that Eleven11bot is operating with significant strength and persistence. Jerome Meyer, a security researcher at Nokia Deepfield, described its scale as “exceptional among non-state actor botnets” and noted that it is one of the largest known DDoS botnet campaigns observed since the Russian invasion of Ukraine in February 2022.
The botnet’s attack intensity fluctuates, ranging from a few hundred thousand to several hundred million packets per second, Meyer shared on LinkedIn.
Technical Insights and Targeted Devices
Researchers at Censys have compiled a list of 1,400 IP addresses potentially linked to Eleven11bot, while GreyNoise has detected 1,042 IPs hitting its sensors over the past 30 days. Alarmingly, 96% of these devices are classified as non-spoofable, meaning they originate from genuine, accessible IoT devices.
GreyNoise also identified that Eleven11bot is specifically targeting certain camera brands, including VStarcam, which have hardcoded credentials that make them particularly vulnerable.
Protective Measures Against Eleven11bot
To mitigate the threat posed by this botnet, GreyNoise recommends several security measures:
- Secure IoT Devices – Change default passwords, disable remote access, and update firmware regularly.
- Monitor Network Activity – Check network logs for unusual login attempts, as attackers frequently target Telnet and SSH credentials through brute-force attacks.
- Block Malicious Traffic – Restrict traffic from known malicious IP addresses to prevent further infiltration.
As IoT devices continue to be a major target for cybercriminals, organizations and individuals must take proactive steps to secure their networked equipment and prevent exploitation by botnets like Eleven11bot.
