Skip to main content

Command Palette

Search for a command to run...

Eleven11bot infects thousands of IoT devices for DDoS attacks

Published
2 min readView as Markdown
Eleven11bot infects thousands of IoT devices for DDoS attacks

A new malware called “Eleven11bot” has been identified as infecting over 86,000 IoT devices, mainly security cameras or network video recorders (NVRs), for use in DDoS attacks.

Security researchers from the Emergency Response Team (ERT) at Nokia Deepfield recently announced a new botnet network with over 30,000 infected devices. Named Eleven11bot, this botnet is primarily built from IoT devices like security cameras and network video recorders.

According to the report, Eleven11bot is used in distributed denial of service (DDoS) attacks, targeting telecommunications providers and gaming platforms with attacks lasting several days, causing large-scale disruptions. As of now, the number of devices infected by Eleven11bot, according to ShadowServer statistics, has reached over 86,000 devices worldwide.

Figure 1: Number of devices infected by Eleven11bot worldwide - Source: The Shadowserver Foundation

Following Nokia Deepfield's report, a list of IPs linked to Eleven11bot was also made public by GreyNoise and researched. Specifically, GreyNoise researchers concluded:

  • 96% of the provided IPs are non-spoofable, meaning these IPs come from genuine and accessible devices.

  • 61% of the provided IPs originate from Iran.

  • 305 out of the total 1,042 IPs are classified as highly malicious.

Figure 2: Malicious IPs linked to Eleven11bot - Source: GreyNoise

The data collected by GreyNoise not only reveals the malicious activities of Eleven11bot but also shows how this botnet can expand. Specifically:

  • Brute-force attacks: Conduct brute-force attacks on IoT devices with weak security, where administrators use simple or common passwords for access and management.

  • Targeted attacks: Focus on exploiting security cameras using hard-coded login credentials, such as VStarcam.

  • Scanning Telnet and SSH ports: IoT devices often lack strong security measures on these ports, making them easy targets for hackers.

Recommendations

To combat the risk of Eleven11bot infection on IoT devices, GreyNoise provides several recommendations to help users protect themselves from this botnet and similar cybersecurity threats, including:

  • Block access to malicious IP addresses: Prevent traffic to IP addresses identified as highly malicious.

  • Monitor network logs to detect unusual access: Monitoring logs can reveal attempts to log in via SSH (port 22) or Telnet (port 23).

  • Secure IoT devices: Enhance security for IoT devices. Change the device's default password, update security patches, and disable remote access if not necessary.

  • Limit access speed and enable DDoS protection: Due to the high-intensity attacks required with a botnet, users can limit the access speed that a device can perform within a certain time frame. Additionally, DDoS protection should be enabled to prevent and mitigate the impact of DDoS attacks.

References

  1. GreyNoise blog: https://www.greynoise.io/blog/new-ddos-botnet-discovered

  2. The Shadowserver Dashboard: https://dashboard.shadowserver.org/statistics/combined/map/?map_type=std&day=2025-03-03&source=compromised_iot&tag=eleven11bot%2B&geo=all&data_set=count&scale=log

  3. Bleeping Computer: https://www.bleepingcomputer.com/news/security/new-eleven11bot-botnet-infects-86-000-devices-for-ddos-attacks/

Newsletters-eng

Part 1 of 50

More from this blog

F

FPT IS Security

861 posts

Dedicated to providing insightful articles on cybersecurity threat intelligence, aimed at empowering individuals and organizations to navigate the digital landscape safely.