A new Internet of Things (IoT) botnet has been identified as a significant threat, orchestrating large-scale Distributed Denial-of-Service (DDoS) attacks worldwide since late 2024. The botnet targets IoT devices, including routers and IP cameras, exploiting vulnerabilities such as Remote Code Execution (RCE) or weak default credentials. This malware is derived from known strains like Mirai and Bashlite, and it has rapidly spread across multiple sectors, including finance, transportation, and telecommunications.
The attack process begins with the malware infiltrating IoT devices
Through vulnerabilities or by brute-forcing weak passwords. Once the device is compromised, a loader script downloads the primary malware payload, which is executed in memory to evade detection. The infected devices then connect to command-and-control (C&C) servers to receive attack instructions, allowing the botnet to launch various DDoS attack vectors like SYN floods, UDP floods, GRE protocol exploits, and TCP handshake floods to overwhelm servers and networks.
The botnet’s geographic impact is widespread, with North America, Europe, and Japan being particularly affected. In the United States, 17% of the targets identified were based there, with a notable concentration of attacks against critical infrastructure, such as the financial and transportation industries. The majority of infected devices are wireless routers, with TP-Link and Zyxel brands frequently targeted due to their common vulnerabilities. The malware also employs advanced techniques to avoid detection, such as disabling watchdog timers to prevent automatic reboots during heavy loads from DDoS attacks and manipulating iptables rules to block external access.
To protect against such botnets, security experts recommend several mitigation strategies. These include immediately changing default passwords on IoT devices, regularly updating device firmware, isolating IoT devices on separate networks, and using intrusion detection systems (IDS) to monitor for abnormal traffic. Organizations are also advised to collaborate with service providers to filter malicious traffic and use content delivery networks (CDNs) to manage the load during DDoS attacks. These proactive measures can help reduce the risks associated with IoT botnet infections and their potential damage.
