Massive botnet that appeared overnight is delivering record-size DDoSes

Eleven11bot infects video recorders, with the largest concentration of them in the US.

See full article...

 

[citizencoyote]

Did I miss it or does the article not say who the botnet is targeting?

 

[ERIFNOMI]

This is why you don't use god-awful off-the-shelf NVRs, and you especially don't expose them to the internet. NVRs and IP Cams are notoriously insecure and always end up in these large botnets.

 

[ERIFNOMI]

Did I miss it or does the article not say who the botnet is targeting?

"Eleven11bot has targeted diverse sectors, including communications service providers and gaming hosting infrastructure, leveraging a variety of attack vectors,"

A botnet this large is likely either just trying to disrupt industries in general, or generate a lot of noise to hide their true target.

 

[Mungus the Unhyphenated]

Any tracing of the command and control source(s) yet? With the recent US administration policy decision to roll over and let Russian cyberattacks slide, I have my guesses...

 

[ThatEffer]

Did I miss it or does the article not say who the botnet is targeting?

Unless you're looking for more specificity, this leads the paragraph above the first image:
"Eleven11bot has targeted diverse sectors, including communications service providers and gaming hosting infrastructure, leveraging a variety of attack vectors," Meyer wrote.

 

[fuzzyfuzzyfungus]

What sorts of amplification, if any, do the DDoS guys achieve these days?

Are we actually talking enough cameras on solid internet connections(that are not under the thumb either of residential ISPs who distrust bandwidth users or corporate and institutional network operators who distrust anomalous behavior) to deliver peak 6 Tb/s of traffic upstream; or are there cute amplification tricks that would suggest something more modest?

 

[NameRedacted]

Remote administration from outside the Internet should be enabled only when needed

Is this like towing it outside the environment?

 

[IamAproton]

I bet Taiwan is 2nd because of the huge amount of IP cameras connected everywhere and, possibly, an even lower-than-average security awareness.
Standard practice is to to use mobile phone numbers as the SSID and or the password for Wifi networks...

 

[Tech-Space-Cars]

Do we retain any ability to respond to this, since we just dropped Russia from the list of potential cyberspace adversaries?

 

[zarmanto]

In any case, anyone running any sort of IoT devices should position them behind a router or other form of firewall so they're not visible from outside a local network.

You would think by now that this is just common sense... and yet, it baffles me just how many people blithely drop their IoT cameras and such onto public IP addresses for all the world to see.

 

[sleepyox]

What? Nobody's blaming Tiktok yet?

Did I miss it or does the article not say who the botnet is targeting?

"While GreyNoise does not speculate on attribution, this increase in botnet activity comes just two days after the U.S. administration reasserted its “maximum pressure” campaign on Iran, imposing new economic sanctions. "
https://www.greynoise.io/blog/new-ddos-botnet-discovered

So yeah, it's trump the nuclear warmonger again. The orange racist and rapist regime wants to start ww3 and blame it on Zelenskiy.

 

[Jeff S]

This is why you don't use god-awful off-the-shelf NVRs, and you especially don't expose them to the internet. NVRs and IP Cams are notoriously insecure and always end up in these large botnets.

The Internet of CrimeBots

 

[MagicDot]

24.4% for US...I guess that means we win! U-S-A! U-S-A! So this is what winning feels like.

 

[SomeHandleThatStartsWithS]

This is why you don't use god-awful off-the-shelf NVRs, and you especially don't expose them to the internet. NVRs and IP Cams are notoriously insecure and always end up in these large botnets.

Our previous security company wanted to drop a whitebox workstation onto my network that ran the NVR. It was running Windows 7 as the OS. I told them to pound sand, and there was no way I was allowing an obsolete, unknown brand system onto my network. This was a large security firm, too. Might have started with A in the name.

 

[mcswell]

Hisilicon and maybe Hikvision. Both Chinese companies. Who would have guessed?

 

[odikweos]

24.4% for US...I guess that means we win! U-S-A! U-S-A! So this is what winning feels like.

We've only had a taste of what winning feels like. The main course is still coming, sadly.

 

[charltjr]

I saw video recorder and for a moment wondered how it could be that so many VHS machines were connected to a network.

Damn, I'm old.

 

[betam4x]

IMO you should never expose remote administration pages to the public internet.

My preferred alternative is to hang a linux box off from the router (such as a raspberry pi) and use SSH based tunneling instead, with key authentication rather than a username/password.

Another alternative is a VPN.

 

[Greever]

Did I miss it or does the article not say who the botnet is targeting?

One of our org's ServiceNow instances was unavailable yesterday, with SN citing a DDoS attack as the cause. They haven't named the attacker or Botnet, but the timing sure is convenient.

 

[DarthSlack]

The Internet of CrimeBots

Just remember, the "S" in IoT stands for Security!

 

[Onomatopeon]

What sorts of amplification, if any, do the DDoS guys achieve these days?

Are we actually talking enough cameras on solid internet connections(that are not under the thumb either of residential ISPs who distrust bandwidth users or corporate and institutional network operators who distrust anomalous behavior) to deliver peak 6 Tb/s of traffic upstream; or are there cute amplification tricks that would suggest something more modest?

Since this is a video device, I'm guessing that a moderate DOS participation would likely generate the same bandwidth as general cam use. Its power is more in how the "streams" converge, than the individual bot send.

 

[cyberfunk]

This is why you

Whoa. Shut off my ad blocker for a while, watched some lady put on makeup on Vogue's Instagram. What the hell? Why does advertising have to mean annoyance? Please vet your ads, check them for stupidity.

Never shut off the adblocker ... the internet is unviewable without one these days... it feels like not wearing laser safety glasses around a bunch of kids with green laser pointers.

 

[Jeff S]

Just remember, the "S" in IoT stands for Security!

Yup - it comes at the very end, and it's little: "Internet of Things(<-- it's right there!)"

 

[Mad Klingon]

Seems likely that there are more then 5000 botnet devices. 6.5 Tbps / 5000 yields around 1.2Gbps per device. I doubt all 5000 devices would each be on a network capable of > 1Gps of upload or that most of the devices could do that.

This is one of the downsides to symmetrical fiber. A lot easier for fewer devices to wreck DDOS havoc on a wider range of targets. All for faster bandwidth but until we get serious about cyber security, this crap is only getting worse.

 

[enilc]

This is why you don't use god-awful off-the-shelf NVRs, and you especially don't expose them to the internet. NVRs and IP Cams are notoriously insecure and always end up in these large botnets.

Spent some time a few years ago trying to source/install NVRs and cams. Tracking down trusted sources of hardware was extremely difficult. And even once deemed trusted were sus when you dig into the firmware and/or chips.

I'm sure there are sources, but I finally threw my hands up and sold the customers accounts when I actually called for some support. I had disabled all visible pre-installed user/admin accounts on the devices. Once on the call with support, the CSR dialed right in to the device without any input from me other than serial number.

 

[forkspoon]

Any tracing of the command and control source(s) yet? With the recent US administration policy decision to roll over and let Russian cyberattacks slide, I have my guesses...

I’m excuse me but US gov cyber security has no data on Russian involvement, and has been informed that means there was none!

Remember: What you don’t know can’t hurt you

 

[Pugilistas]

Our previous security company wanted to drop a whitebox workstation onto my network that ran the NVR. It was running Windows 7 as the OS. I told them to pound sand, and there was no way I was allowing an obsolete, unknown brand system onto my network. This was a large security firm, too. Might have started with A in the name.

Could it be a security company that is a direct descendant of Tycho?

 

[ERIFNOMI]

Spent some time a few years ago trying to source/install NVRs and cams. Tracking down trusted sources of hardware was extremely difficult. And even once deemed trusted were sus when you dig into the firmware and/or chips.

I'm sure there are sources, but I finally threw my hands up and sold the customers accounts when I actually called for some support. I had disabled all visible pre-installed user/admin accounts on the devices. Once on the call with support, the CSR dialed right in to the device without any input from me other than serial number.

Yeah, I treat all IP cams as compromised. I assume they all have a backdoor, because it's honestly a safe assumption. On my network, they're completely segregated on their own subnet. I don't even trust them enough to put them on the IoT network that doesn't have network access. They can sit there and fuck with each other if they want, and that's it.

 

[NienorGT]

See Eleven11bot, thinks about Windows 11...
But the bot use Videorecorder devices...
The researchers who found it are at Nokia...

That wasn't on my Bingo card, but more IoT devices going into a botnet was. Seriously, the lack of security of these devices baffle me. It's not just the industry lack of proper securities measures, it's also the fact that people doesn't know the risks nor have easy abilities to spot risks and problems even if they are aware.

 

[romrunning]

Spent some time a few years ago trying to source/install NVRs and cams. Tracking down trusted sources of hardware was extremely difficult. And even once deemed trusted were sus when you dig into the firmware and/or chips.

I'm sure there are sources, but I finally threw my hands up and sold the customers accounts when I actually called for some support. I had disabled all visible pre-installed user/admin accounts on the devices. Once on the call with support, the CSR dialed right in to the device without any input from me other than serial number.

The CSR got in likely due to the device having cloud management. So basically you had an experience like a TeamViewer support session. However, your device should have been designed to at least have a local prompt confirmation before it allowed the remote support connection (not that they all do, sadly).

I also agree with the comment on how hard it is to find secure NVRs/security cams. With all the issues - like not having security update support over the course of years, questionable design choices, questionable firmware/hardware mfg sources, forced subscription access, and non-owner access to the devices & their video storage - it's a bit of a mess.

I suppose video security is also more open to issues, especially with residential customers, as they want a product that is easy to setup & use, as well as being available to view by smartphone from any location besides home. Definitely hard to build that & keep it easy without adding security complications.

 

[R-V]

WTF, people? Why does this even need to be said? Hasn't anyone learned anything these past 15-20 years???

In this day and age, I cannot believe that net admins and/or security system installers are so ill-informed that they would even consider exposing an IoT device to the internet.

There should be a law... expose a device to the world and it gets hacked, you get prosecuted.

Sell any device that doesn't include a warning to lock it behind a firewall, you get prosecuted.

No "get out of jail free" card for pleading "I didn't know better!"

When are people going to wake up to reality???

Good luck having the entire population configuring firewalls, routers, etc. when they order a random camera from Amazon from highly regarded seller TONGYUNKJ with 15673 5 star reviews!

 

[thrillgore]

Good luck having the entire population configuring firewalls, routers, etc. when they order a random camera from Amazon from highly regarded seller TONGYUNKJ with 15673 5 star reviews!

Well this is why I only trust Synology for my IP Camera and Surveillance needs. I can turn off Surveillance Station access to the internet with a checkbox (and its DISABLED by default)

This is not an ad, Synology is great. Don't ever try to save money on your physical security.

 

[hypervigilance]

I saw video recorder and for a moment wondered how it could be that so many VHS machines were connected to a network.

Damn, I'm old.

You're not alone, just yesterday I was reminiscing about listening to Peaches and Herb on 8-track lol

 

[Decoherent]

Who is the unmarked 14.2% in that graph? The wording describes the attack as US 24.4%, Taiwan 17.7%, then jumps down to the UK 6.5%.

 

[Mad Klingon]

WTF, people? Why does this even need to be said? Hasn't anyone learned anything these past 15-20 years???

In this day and age, I cannot believe that net admins and/or security system installers are so ill-informed that they would even consider exposing an IoT device to the internet.

There should be a law... expose a device to the world and it gets hacked, you get prosecuted.

Sell any device that doesn't include a warning to lock it behind a firewall, you get prosecuted.

No "get out of jail free" card for pleading "I didn't know better!"

When are people going to wake up to reality???

The vast majority of networks do NOT have anyone qualified as a network admin or security admin. Most networks are ran by folks who want Internet, call up the ISP, sign a contract, have the ISP person come out and setup the modem/ODN/Magic Box and Presto! An Internet connected Network. Bonus, most ISP routers have very limited firewalls and by default let all outbound traffic escape. So once that Ring/FuYang/Whatever IOT gizmo gets compromised, bogus traffic flows unimpeded to the targeted victim(s).

Most ISPs don't care. If a customer network floods the Internet with DDOS traffic, BONUS for the ISP. They can charge "Over the usage Cap" fees! MOOR PROFIT!