Full Report
A new botnet malware named 'Eleven11bot' has infected over 86,000 IoT devices, primarily security cameras and network video recorders (NVRs), to conduct DDoS attacks. [...]
Analysis Summary
# Tool/Technique: Eleven11bot
## Overview
Eleven11bot is a large, rapidly growing botnet primarily composed of compromised Internet of Things (IoT) devices, such as webcams and Network Video Recorders (NVRs), used to execute massive Distributed Denial of Service (DDoS) attacks. It is noted for its substantial size, exceeding 86,000 infected devices, making it one of the largest non-state actor DDoS botnets observed recently.
## Technical Details
- Type: Malware Family (Botnet)
- Platform: Primarily IoT devices (Webcams, NVRs). Implied targets are devices accessible externally, likely using Linux or embedded operating systems common in IoT.
- Capabilities: Launching large-scale DDoS attacks, often achieving several hundred million packets per second in volume and sustaining attacks for multiple days.
- First Seen: Information not explicitly provided in the text, but comparison is made to activity following the invasion of Ukraine in February 2022.
## MITRE ATT&CK Mapping
*Note: Since the article focuses on post-infection activity (DDoS) rather than initial access/execution, the primary mapping relates to Command and Control and actions on objectives. Initial access methods are detailed below.*
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol
- T1071.001 - Web Protocols (Implied for IoT command/control)
- **TA0040 - Impact**
- T1498 - Network Denial of Service
- T1498.003 - Application Layer Denial of Service (Implied via packet volume)
## Functionality
### Core Capabilities
- Maintaining a large network of compromised IoT endpoints (86,400 devices observed).
- Executing high-volume DDoS attacks reaching hundreds of millions of packets per second.
- Sustaining DDoS attack durations often spanning multiple days.
### Advanced Features
- Active scanning for vulnerable devices using exposed Telnet and SSH ports.
- Exploiting weak or default administrative credentials on IoT hardware for initial access and compromise.
## Indicators of Compromise
- File Hashes: [Not provided in the article]
- File Names: [Not provided in the article]
- Registry Keys: [Not applicable/provided for IoT malware]
- Network Indicators: GreyNoise published a list of approximately 1,400 malicious IPs linked to the botnet's operation in the past month. (Specific IPs are excluded as per instruction, but analysts should refer to GreyNoise publications).
- Behavioral Indicators: High volume network traffic spikes characteristic of DDoS attacks; repeated, unsuccessful login attempts targeting default/weak IoT credentials on SSH/Telnet ports.
## Associated Threat Actors
- Cybercriminals operating a large-scale, non-state actor DDoS operation (No specific group name provided).
## Detection Methods
- Signature-based detection: [Not provided, but typical for known binary artifacts]
- Behavioral detection: Monitoring for massive outbound packet floods (DDoS activity) originating from IoT devices. Detecting active scanning for Telnet/SSH on the network perimeter.
- YARA rules: [Not provided in the article]
## Mitigation Strategies
- **Patching:** Ensure all IoT devices (Webcams, NVRs) run the latest firmware versions.
- **Credential Management:** Immediately change all default admin account credentials to strong, unique passwords.
- **Network Hardening:** Disable remote access features on IoT devices if they are not strictly necessary.
- **Inventory/EOL Management:** Periodically check IoT devices to ensure they have not reached End-of-Life (EOL) from the vendor, and replace EOL devices promptly.
- **Blocking:** Add known malicious IP addresses associated with the botnet operation (referenced by GreyNoise) to network blocklists.
## Related Tools/Techniques
- Other large-scale IoT botnets such as Mirai, Mozi, or Gafgyt (implied by the nature of weaponized IoT devices for DDoS).
- The *Havoc C2* framework mentioned in an adjacent news headline is unrelated but highlights current C2 trends.