Full Report
Eleven11bot infects webcams and video recorders, with a large concentration in the US.
Analysis Summary
# Tool/Technique: Eleven11bot
## Overview
Eleven11bot is a significant, newly discovered botnet primarily comprising compromised webcams and video recorders, estimated to have between 5,000 and 86,000 nodes (with initial reports suggesting 30,000). Its primary purpose is to launch massive, "hyper-volumetric" Distributed Denial of Service (DDoS) attacks, peaking at volumes never before recorded by the observing security researchers.
## Technical Details
- Type: Malware Family (Botnet - likely Mirai variant)
- Platform: Internet of Things (IoT) devices, specifically webcams and video recorders (e.g., devices running on HiSilicon chips, such as TVT-NVMS 9000 DVRs).
- Capabilities: Launching record-breaking hyper-volumetric DDoS attacks (up to 6.5 Tbps) and traditional packet-flooding DDoS attacks.
- First Seen: Late February (unspecified year, context suggests recent discovery based on record-setting attacks).
## MITRE ATT&CK Mapping
While the article focuses on the effect (DDoS) rather than infiltration methods, the tool's function strongly maps to:
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol
- T1071.001 - Web Protocols (Used for command and control of compromised IoT devices)
- **TA0011 - Impact**
- T1498 - Network Denial of Service
- T1498.001 - Application Layer Denial of Service (Though the primary focus here is Volumetric)
- T1498.002 - Traffic Flooding (Hyper-volumetric and packet-based attacks)
## Functionality
### Core Capabilities
- **Hyper-Volumetric DDoS:** Delivering staggering amounts of data, with a peak observed attack volume of approximately 6.5 Terabits per second (Tbps), exceeding previous records.
- **Packet Flooding DDoS:** In addition to volumetric attacks, the botnet can flood connections with an overwhelming number of data packets (ranging from hundreds of thousands to hundreds of millions per second).
- **Rapid Mobilization:** The botnet was observed appearing rapidly, with many participating IP addresses never previously seen engaging in DDoS activity.
### Advanced Features
- **Specific Exploitation:** One reported infection vector for this specific variant involves exploiting a new vulnerability in TVT-NVMS 9000 digital video recorders running on HiSilicon chips.
- **Infection Methods (Inferred from Mirai link):** Likely employs brute-forcing default credentials (username/password pairs) or exploiting known vulnerabilities to bypass device security settings.
## Indicators of Compromise
*Note: Since this is a summary of an attack tool, specific network IOCs are not provided in the text other than attack characteristics. File hashes are not listed.*
- File Hashes: [Not provided in the context]
- File Names: [Not provided in the context]
- Registry Keys: [Not provided in the context]
- Network Indicators: [No specific Cs/C2 addresses provided, only attack victims (communications service providers, gaming hosting infrastructure)]
- Behavioral Indicators: Massive, sustained outgoing traffic spikes identified as hyper-volumetric DDoS attacks targeting network bandwidth globally. Geographic concentrations noted in the US (24.4%), Taiwan (17.7%), and the UK (6.5%).
## Associated Threat Actors
- The threat actor is currently unknown but operates the Eleven11bot infrastructure.
- The malware is identified as a likely variant of the **Mirai** botnet family, suggesting inspiration or lineage from actors associated with that malware source code release.
## Detection Methods
- Signature-based detection: Detection signatures would likely target known characteristics of the underlying Mirai variant or specific network traffic patterns associated with hyper-volumetric attacks (e.g., high Tbps traffic signature).
- Behavioral detection: Monitoring IoT devices for abnormal outbound bandwidth consumption or attempts to connect external hosts via weak/default credentials.
- YARA rules: [Not provided in the context]
## Mitigation Strategies
- **Network Hardening (General IoT):** Position all IoT devices behind a router or firewall to prevent direct exposure to the external internet.
- **Credential Management:** Ensure every device is protected by a strong, unique password, avoiding manufacturer defaults.
- **Patch Management:** Update devices immediately when security patches become available.
- **Access Control:** Enable remote administration from outside the local network only when absolutely necessary.
## Related Tools/Techniques
- **Mirai:** Eleven11bot is strongly suspected to be a variant of the Mirai malware family, which targets IoT devices via default credentials and exploits.
- **Other IoT Botnets:** Precedent mentioned includes large botnets employing similar techniques, such as the botnet seen in 2022 following the Ukraine invasion (~60k bots).