Eleven11bot Captures 86,000 IoT Devices for DDoS Attacks
Threat intelligence researchers are tracking a massive and fast-growing botnet comprising primarily security cameras and network video recorders that is launching distributed denial-of-service (DDoS) attacks in the United States and elsewhere.
Analysts with Nokia’s Deepfield Emergency Response Team said over the weekend that the Eleven11bot includes more than 30,000 compromised devices, though the Shadowserver Foundation put that figure at more than 86,000.
Either way, it is among the largest botnet campaigns by a non-state actor seen since Russia’s invasion of Ukraine three years ago, according to Nokia, and researchers with cybersecurity firm GreyNoise said some of its actions indicate that the bad actors behind it are trying to grow it even more.
Those actions include brute-force attacks against login systems, exploiting weak and default password on Internet of Things (IoT) devices, targeting particular brands of security cameras like VStarcam by using hardcoded credentials, scanning networks for exposed Telnet and SSH ports that often are left unprotected on IoT hardware.
Telecoms, Game Platforms Targeted
The botnet has targeted such sectors as telecommunications and infrastructure used to host games, and the intensity of the attacks has varied, from a few hundred-thousand to several hundred-million packet per second, with some attacks lasting for days, according to Nokia security researcher Jérôme Meyer.
“Public forums report sustained attack campaigns causing service degradation lasting multiple days, some of which remain ongoing,” Meyer wrote in a LinkedIn post, adding that the Deepfield team started detecting “hyper-volumetric attacks” last week.
According to Noah Stone, GreyNoise’s head of content, researchers got a list of 1,400 IPs from attack surface management vendor Censys that seem to be linked to Eleven11bot based on what Nokia’s Deepfield team identified. Of those, GreyNoise found 1,042 of the IPs hitting the vendor’s servers over the previous 30 days.
Maybe Iran?
Of those, 96% of the IPs originate from genuine and accessible devices and 61% – or 636 – of them were traced back to Iran, Stone wrote in a report. In addition, 305 are actively carrying out attacks linked to the botnet.
Without attributing the botnet to any particular actor, he noted that the increased botnet activity kicked up two days after the Trump Administration vowed “maximum pressure” on Iran that included expanded economic sanctions.
According to the ShadowServer Foundation, the United States has been the top target of the campaign, with almost 25,000 devices targeted, with the UK seeing more than 10,700 devices impacted. Other top targets include Mexico, with almost 10,000 devices targeted, Canada (almost 4,000), and Australia (about 3,100).
DDoS Attacks on the Rise
The Eleven11bot comes as the number of DDoS attacks continue to grow. In a report in January, Cloudflare said that its DDoS defense systems blocked about 21.3 million DDoS attacks last year, a 53% year-over-year increase and an average of 4,870 every hour.
In the fourth quarter alone, the company mitigated 6.9 million DDoS attacks, an 83% jump over the same period in 2023. More than 420 of those attacks were what Cloudflare researcher called “hyper-volumetric,” exceeding rates of 1 billion packets per second (pps) and 1 Terabits per second (Tbps).
It’s a sector of the cyberthreat space that is continuing to evolve, the researchers wrote.
“The growing use of powerful botnets, driven by geopolitical factors, has broadened the range of vulnerable targets,” they wrote. “A rise in Ransom DDoS attacks is also a growing concern.”
