A new botnet known as Eleven11bot quickly became one of the largest in the last several years, infecting over 86,000 Internet of Things (IoT) devices. The botnet, mainly comprised of security cameras and network video recorders, has been used to launch distributed denial-of-service (DDoS) attacks against telecommunications service providers and online gaming servers. Of the approximate 86,000 infected devices, over 2,300 device IP addresses geolocate to New Jersey.

These devices were likely compromised by brute-forcing weak or common administrator account credentials, using known default credentials, and actively scanning networks for devices exposing Telnet and SSH. Details of this botnet and associated malicious activity serve as a reminder to ensure IoT devices are configured following cybersecurity best practices.

Recommendations

• Run the latest firmware version on IoT devices.
• Disable remote access where possible.
• Change default administrator account credentials and use strong, unique passwords.
• Enable multi-factor authentication (MFA) on devices where offered.
• Monitor IoT devices for suspicious login attempts.
• Replace end-of-life (EOL) IoT devices with supported models.
• Review the GreyNoise blog post on Eleven11bot and consider blocklisting IP addresses linked to the botnet.
• Review the IoT Device Security and Privacy NJCCIC product for additional information on securing IoT devices.