Eleven11bot infects webcams and video recorders, with a large concentration in the US.

A newly discovered network botnet comprising an estimated 30,000 webcams and video recorders—with the largest concentration in the US—has been delivering what is likely to be the biggest denial-of-service attack ever seen, a security researcher inside Nokia said.

The botnet, tracked under the name Eleven11bot, first came to light in late February when researchers inside Nokia’s Deepfield Emergency Response Team observed large numbers of geographically dispersed IP addresses delivering “hyper-volumetric attacks.” Eleven11bot has been delivering large-scale attacks ever since.

Volumetric DDoSes shut down services by consuming all available bandwidth either inside the targeted network or its connection to the Internet. This approach works differently than exhaustion DDoSes, which over-exert the computing resources of a server. Hypervolumetric attacks are volumetric DDoses that deliver staggering amounts of data, typically measured in the terabits per second.

**Johnny-Come-Lately Botnet Sets a New Record**

At 30,000 devices, the Eleven11bot was already exceptionally large (although some botnets exceed well over 100,000 devices). Most of the IP addresses participating, Nokia researcher Jérôme Meyer told me, had never been seen engaging in DDoS attacks.

Besides a 30,000-node botnet seeming to appear overnight, another salient feature of Eleven11bot is the record-size volume of data it sends its targets. The largest one Nokia has seen from Eleven11bot so far occurred on February 27 and peaked at about 6.5 terabits per second. The previous record for a volumetric attack was reported in January at 5.6 Tbps.

"Eleven11bot has targeted diverse sectors, including communications service providers and gaming hosting infrastructure, leveraging a variety of attack vectors," Meyer wrote. While in some cases the attacks are based on the volume of data, others focus on flooding a connection with more data packets than a connection can handle, with numbers ranging from a "few hundred thousand to several hundred million packets per second." Service degradation caused in some attacks has lasted multiple days, with some remaining ongoing as of the time this post went live.

A breakdown showed that the largest concentration of IP addresses, at 24.4 percent, was located in the US. Taiwan was next at 17.7 percent, and the UK at 6.5 percent.

In an online interview, Meyer made the following points:

> *   This botnet is much larger than what we're used to seeing in DDoS attacks (the only precedent I have in mind is an attack from 2022 right after the Ukraine invasion, at ~60k bots, but not public).
> *   The vast majority of its IPs were not involved in DDoS attacks prior to last week.
> *   Most of the IPs are security cameras (Censys thinks Hisilicon, I saw multiple sources talk to a Hikvision NVR too so that is a possibility but not my area of expertise).
> *   Partly because the botnet is larger than average, the attack size is also larger than average.

According to a post updated on Wednesday from security firm Greynoise, Eleven11bot is most likely a variant of Mirai, a family of malware for infecting webcams and other Internet of Things devices. Mirai debuted in 2016, when tens of thousands of IoT devices infected by it delivered what at the time were record-setting DDoSes of about 1 Tbps and took down security news site KrebsOnSecurity for almost a week. Shortly after that, Mirai developers published their source code in a move that made it easy for copycats everywhere to deliver the same massive attacks. Greynoise said that the variant driving Eleven11bot is using a single new exploit to infect TVT-NVMS 9000 digital video recorders that run on HiSilicon chips.

There have been conflicting reports on the number of devices comprising Eleven11bot. Following Nokia's report last Saturday of roughly 30,000 devices, the nonprofit Shadowserver Foundation said Tuesday that the true size was more than 86,000. Then in Wednesday's update, Greynoise said that based on data from fellow security firm Censys, both numbers were inflated and the true number was likely fewer than 5,000.

The upward revision from Shadowserver was likely the result of the belief that all infected devices displayed unique device information. That suspicion now appears to be incorrect. Instead, Meyer believes the information seen on infected devices is displayed on all such hardware, whether infected or not. Researchers from Greynoise and Censys weren't immediately available to explain how they arrived at the much lower estimate of fewer than 5,000.

Meyer said that he has consistently observed as many as 20,000 to 30,000 IP addresses participating in follow-on attacks, although many attacks come from much smaller subsets. He said that he has since sent a list of all 30,000 or so IP addresses he has observed to Censys and plans to also send them to Shadowserver soon in hopes of getting consensus on the true size.

"I am still confident on the estimated count as this is what we keep seeing in attacks and after human review of the source IPs," he wrote.

Mirai-based botnets employ various methods for infecting their targets. One common method is to attempt to log in to device administrator accounts using username/password pairs commonly set as defaults by manufacturers. Mirai botnets have also been known to exploit vulnerabilities that bypass security settings.

In any case, anyone running any sort of IoT devices should position them behind a router or other form of firewall so they're not visible from outside a local network. Remote administration from outside the Internet should be enabled only when needed. Users should also ensure each device is protected by a strong unique password. Last, devices should be updated as soon as security patches become available.

_This story originally appeared on_ _Ars Technica._

A Brand-New Botnet Is Delivering Record-Size DDoS Attacks

Martin Lee dives into to the complexities of defending our customers from threat actors and covers the latest Talos research in this week's newsletter.

Thursday, March 6, 2025 14:03

Welcome to this week’s edition of the Threat Source newsletter.

At Talos we bat on behalf of our customers, protecting them against all manner of cyber threats that may affect them. The nature of the threat actor and their origin or affiliation makes no difference; if they are attacking or planning to attack a customer, we do our utmost to stop them.

In practice, identifying the origin of attacks can be surprisingly difficult, much harder than identifying the attack itself.  Attacks do not arrive wrapped in a flag with a certificate of origin. Typically, attackers seek to hide their origin so as to avoid the attention of law enforcement or the international community. However, although not an easy task, the attacker will often unwittingly leave clues to their identity.

We are all creatures of habit; we all have our preferred methods of doing things, tools that we are familiar with, or suppliers that we often choose over another. Threat actors are no different. Over time, the choices made by a threat actor in how they carry out their attacks, the methods they use, and their choice of victims builds to become a characteristic fingerprint.

New attacks can be analysed to identify if their characteristics overlap with those of a known threat actor. If so, we may surmise that the attack has been carried out by that threat actor. Nevertheless, uncovering and understanding the relationship between an attack and the threat actor behind the attack requires detailed research or possibly will only become apparent with the passage of time and the publication of additional information.

Even if an attack can be attributed to a known threat actor, the nature and origin of that threat actor may be obscure. Threat actors rarely admit to their actions and volunteer their identity. A detailed investigation by law enforcement or intelligence agencies may identify an attacker’s identity. Otherwise the security industry refers to known threat actors by various pseudonyms, few of which are definitively tied to one or more named individuals or an organistation. Understanding and communicating degrees of uncertainty when it comes to describing threat actors is a key skill in the threat intelligence community.

Suffice to say that we do not pick and choose the threats that we block. We block them regardless of their origin because this is who we are and what we do, and in any case, identifying the origin of a threat is not a simple matter.

**The one big thing**

Lotus Blossum is a sophisticated threat actor that we’ve uncovered conducting espionage campaigns against the government, manufacturing, telecoms, and media sectors in Vietnam, Hong Kong, Taiwan, and the Philippines. As part of this activity, the threat actor uses the Sagerunex family of backdoor malware for command and control activity. 

**Why do I care?**

Understanding how threat actors such as Lotus Blossom conduct their operations helps inform organisations about the defenses that are required to protect against this and similar threats. Even if you are not working within one of the affected industrial sector, other threat actors may be conducting information stealing campaigns against you.

**So now what?**

Use the IOCs associated with the campaign to search for evidence of incursion within your own organization. Use this exercise as a means of verifying that you have visibility of the systems on your network and that you are able to search for known malicious IOCs.

**  
Top security headlines of the week**

244 million additional compromised passwords from a data dump offered for sale by criminals have been added to the privacy breach notification service “Have I Been Pwned”. (The Register)

A massive botnet consisting of more than 86 000 compromised IoT devices is conducting DDoS attacks against telecom firms and gaming platforms. (Cybersecurity Dive)

The US agency, CISA reports that it will continue to defend against threats including those from Russia. (TheRecord)

****Can’t get enough Talos?****

In The Talos Threat Perspective episode 9, Hazel Burton speaks with Nick Biasini about changes in social engineering techniques.

**Upcoming events where you can find Talos**

RSA (April 28-May 1, 2025)  San Francisco, CA    
CTA TIPS 2025 (May 14-15, 2025) Arlington, VA   
Cisco Live U.S. (June 8 – 12, 2025) San Diego, CA   

**Most prevalent malware files from Talos telemetry over the past week**

SHA256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca   
MD5: 71fea034b422e4a17ebb06022532fdde   
VirusTotal: https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca/details   
Typical Filename: VID001.exe   
Claimed Product: N/A   
Detection Name: Coinminer:MBT.26mw.in14.Talos 

SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507    
MD5: 2915b3f8b703eb744fc54c81f4a9c67f    
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507    
Typical Filename: VID001.exe    
Detection Name: Simple\_Custom\_Detection

SHA256: 592835f805da0d9a24a5d91a0f77ad9988853da34a97b50e75e77c72573edeac  
MD5: 6361f25ede0442f2e0ad3bcd33c331c8  
Typical Filename: KMSSS.exe  
Detection Name: PUA.Win.Dropper.Hackkms::tpd  
VirusTotal: https://www.virustotal.com/gui/file/592835f805da0d9a24a5d91a0f77ad9988853da34a97b50e75e77c72573edeac

SHA256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
MD5: 7bdbd180c081fa63ca94f9c22c457376  
Typical Filename: img001.exe  
Detection Name: Win.Trojan.Miner-9835871-0  
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91

Who is Responsible and Does it Matter?

Removing 24 malicious apps from the Google Play store and silencing some servers has almost halved the BadBox botnet.

Removing 24 malicious apps from the Google Play store and silencing some servers almost halved a botnet known as BadBox.

The BadBox botnet focuses on Android devices, but not just phones. It also affects other devices like TV streaming boxes, tablets, and smart TVs.

The German BSI (Federal Office for Information Security) started the disruption campaign in December by blocking the malware on 30,000 devices. BadBox is referred to as a botnet, because one of its capabilities is to set up the affected device to act as a proxy, allowing other people to use the device’s internet bandwidth and hardware to route their own traffic.

This traffic can for example serve in DDoS attacks or as a platform to spread fake news and disinformation. But BadBox can also steal two-factor authentication (2FA) codes, install further malware, and perform ad fraud.

Unfortunately, the 30,000 devices cut off by the BSI were only the tip of the iceberg. Estimates say there may be as many as one million affected devices. These devices have not necessarily been infected by installing malicious apps. It’s been suggested that Chinese manufacturers hide firmware backdoors in their devices, BadBox being one of them.

The BSI said it found:

> “The BadBox malware was already installed on the respective devices when they were purchased.”

According to Satori Threat Intelligence researchers:

> “Devices connected to the BADBOX 2.0 operation included lower-price-point, “off brand”, uncertified tablets, connected TV (CTV) boxes, digital projectors, and more. The infected devices are Android Open Source Project devices, not Android TV OS devices or Play Protect certified Android devices.”

Off brand devices are devices which do not carry any specific brand name that you might recognize. They are often cheap and made by small manufacturers.

Following the botnet’s development after the German disruption, the researchers found new Command and Control (C2) servers which hosted a list of APKs targeting Android Open Source Project devices similar to those impacted by BadBox.

As part of the disruptions, the servers that were controlling the botnet have been sinkholed, which basically means that the traffic between those servers and the botnet clients gets redirected so it will no longer arrive at the intended destination.

**How to stay safe**

This disruption will likely not be the end of the story. The botnet operators will adapt again and rebuild their infrastructure. Given their supply chain of compromised devices the botnet will resurface soon enough.

So here are a few things you can do:

*   Check you don’t have the apps ‘Earn Extra Income’ and ‘Pregnancy Ovulation Calculator’, which had over 50,000 downloads each. You can recognize the malicious apps from the publisher name Seekiny Studio. If you find them on your device, remove them immediately.
*   Protect your Android devices with an active security solution that can remove malicious apps and block malicious traffic.
*   Google Play Protect automatically warns users and blocks apps known to exhibit BadBox 2.0-associated behavior at install time on Play Protect certified Android devices with Google Play Services. If a device isn’t Play Protect certified, carefully study its origin before purchasing it.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Android botnet BadBox largely disrupted 

New research shows at least a million inexpensive Android devices—from TV streaming boxes to car infotainment systems—are compromised to allow bad actors to commit ad fraud and other cybercrime.

Cheap TV streaming boxes seem like one of the most straightforward gadgets out there, but they can come with hidden costs. In 2023, researchers revealed that tens of thousands of Android TV boxes being used in homes, schools, and businesses were equipped with secret backdoors that allowed them to be used in a host of cybercrime and online fraud. Now, the same researchers have found that the China-based ecosystem behind the compromised devices and the illicit activities they’re used for—collectively dubbed Badbox 2.0—is fueling a next-generation campaign that’s broader in scope and even more sneaky.

At least 1 million Android-based TV streaming boxes, tablets, projectors, and after-sale car infotainment systems are infected with malware that conscripts them into a scammer-controlled botnet, according to new research shared exclusively with WIRED by the cybersecurity firm Human Security. The compromised devices are used for a range of advertising fraud and in so-called residential proxy services, which allow their operators to use victim internet connections for routing and masking web traffic. And all of this activity happens behind the scenes without the owners of compromised devices having any idea of how their streaming boxes are being used.

“This is all completely unbeknownst to the poor users that have bought this device just to watch Netflix or whatever,” Gavin Reid, Human’s chief information security officer, tells WIRED. “Ad fraud including click fraud is all happening behind the scenes, but the main way they are monetizing the million devices is reselling this proxy service. Victims don't know that they're a proxy, they never agreed to be a proxy service, but they're being used for that. Any bad thing you want to do, scraping, whatever it is, these proxy services are an enabler for that.”

The researchers found that the majority of infected devices are in South America, particularly Brazil. The impacted devices often use generic names and aren’t produced by known brands. For example, there are dozens of impacted streaming boxes, but the majority of Badbox 2.0 targets are in the “TV98” and “X96” device families. Virtually all of the targeted devices are designed using Android’s open source operating system code, meaning they run versions of Android but aren’t part of Google’s ecosystem of protected devices.

Google collaborated with the researchers to address the ad fraud component of the activity, though. The company says it worked to terminate publisher accounts associated with the scams and block the ability of those accounts to generate revenue through Google’s advertising ecosystem.

“Malicious attacks like the one described in this report are expressly prohibited on our platforms,” Google spokesperson Nate Funkhouser told WIRED in a statement. “Bad actors’ tactics are constantly evolving. Partnering with organizations like HUMAN helps us share threat intelligence and expands our collective ability to identify and take swift action against bad actors, as we did here.”

In the original Badbox campaign, scammers focused on installing backdoored firmware in streaming boxes before they arrived in the hands of consumers. The Badbox 2.0 campaign is significant, the researchers say, because it reflects a major change in tactics. Rather than focusing on low-level firmware infections, Badbox 2.0 involves more traditional software-level malware distributed through common tactics like drive-by downloads, in which victims accidentally download malware without realizing it.

Researchers from multiple firms say that the campaign seems to come from a loosely connected ecosystem of fraud groups rather than one single actor. Each group has its own versions of the Badbox 2.0 backdoor and malware modules and distributes the software in a variety of ways. In some cases, malicious apps come preinstalled on compromised devices, but in many examples that the researchers tracked, attackers are tricking users into unknowingly installing compromised apps.

The researchers highlight a technique in which the scammers create a benign app—say, a game—post it in Google's Play Store to show that it’s been vetted, but then trick users into downloading nearly identical versions of the app that are not hosted in official app stores and are malicious. Such “evil twin” apps showed up at least 24 times, the researchers say, allowing the attackers to run ad fraud in the Google Play versions of their apps, and distribute malware in their imposter apps. Human also found that the scammers distributed over 200 compromised, re-bundled versions of popular, mainstream apps as yet another way of spreading their backdoors.

“We saw four different types of fraud modules—two ad fraud ones, one fake click one, and then the residential proxy network one—but it's extensible,” says Lindsay Kaye, Human’s vice president of threat intelligence. “So you can imagine how, if time had gone on and they were able to develop more modules, maybe forge more relationships, there is the opportunity to have additional ones.”

Researchers from the security firm Trend Micro collaborated with Human on the Badbox 2.0 investigation, particularly focusing on the actors behind the activity.

“The scale of the operation is huge,” says Fyodor Yarochkin, a Trend Micro senior threat researcher. He added that while there are “easily up to a million devices online” for any of the groups, “This is only a number of devices that are currently connected to their platform. If you count all the devices that would probably have their payload, it probably would be exceeding a few millions.”

Yarochkin adds that many of the groups involved in the campaigns seem to have some connection to Chinese gray market advertising and marketing firms. More than a decade ago, Yarochkin explains, there were multiple legal cases in China in which companies had installed “silent” plugins on devices and used them for a diverse array of seemingly fraudulent activity.

“The companies that basically survived that age of 2015 were the companies who adapted,” Yarochkin says. He notes that his investigations have now identified multiple “business entities” in China which appear to be linked back to some of the groups involved in Badbox 2. The connections include both economic and technical links. “We identified their addresses, we’ve seen some pictures of their offices, they have accounts of some employees on LinkedIn,” he says.

Human, Trend Micro, and Google also collaborated with the internet security group Shadow Server to neuter as much Badbox 2.0 infrastructure as possible by sinkholing the botnet so it essentially sends its traffic and requests for instructions into a void. But the researchers caution that after scammers pivoted following revelations about the original Badbox scheme, it’s unlikely that exposing Badbox 2.0 will permanently end the activity.

“As a consumer, you should keep in mind that if the device is too cheap to be true, you should be prepared that there might be some additional surprises hidden in the device,” Trend Micro’s Yarochkin says. “There is no free cheese unless the cheese is in a mousetrap.”

1 Million Third-Party Android Devices Have a Secret Backdoor for Scammers

Brazil, South Africa, Indonesia, Argentina, and Thailand have become the targets of a campaign that has infected Android TV devices with a botnet malware dubbed Vo1d.
The improved variant of Vo1d has been found to encompass 800,000 daily active IP addresses, with the botnet scaling a peak of 1,590,299 on January 19, 2025, spanning 226 countries. As of February 25, 2025, India has experienced a

Vo1d Botnet's Peak Surpasses 1.59M Infected Android TVs, Spanning 226 Countries

One of the most notorious providers of abuse-friendly "bulletproof" web hosting for cybercriminals has started routing its operations through networks run by the Russian antivirus and security firm Kaspersky Lab, KrebsOnSecurity has learned.

One of the most notorious providers of abuse-friendly “bulletproof” web hosting for cybercriminals has started routing its operations through networks run by the Russian antivirus and security firm **Kaspersky Lab**, KrebsOnSecurity has learned.

Security experts say the Russia-based service provider **Prospero OOO** (the triple O is the Russian version of “LLC”) has long been a persistent source of malicious software, botnet controllers, and a torrent of phishing websites. Last year, the French security firm **Intrinsec** detailed Prospero’s connections to bulletproof services advertised on Russian cybercrime forums under the names **Securehost** and **BEARHOST**.

The bulletproof hosting provider BEARHOST. This screenshot has been machine-translated from Russian. Image: Ke-la.com.

Bulletproof hosts are so named when they earn or cultivate a reputation for ignoring legal demands and abuse complaints. And BEARHOST has been cultivating its reputation since at least 2019.

“If you need a server for a botnet, for malware, brute, scan, phishing, fakes and any other tasks, please contact us,” BEARHOST’s ad on one forum advises. “We completely ignore all abuses without exception, including SPAMHAUS and other organizations.”

Intrinsec found Prospero has courted some of Russia’s nastiest cybercrime groups, hosting control servers for multiple ransomware gangs over the past two years. Intrinsec said its analysis showed Prospero frequently hosts malware operations such as SocGholish and GootLoader, which are spread primarily via fake browser updates on hacked websites and often lay the groundwork for more serious cyber intrusions — including ransomware.

A fake browser update page pushing mobile malware. Image: Intrinsec.

BEARHOST prides itself on the ability to evade blocking by Spamhaus, an organization that many Internet service providers around the world rely on to help identify and block sources of malware and spam. Earlier this week, Spamhaus said it noticed that Prospero was suddenly connecting to the Internet by routing through networks operated by Kaspersky Lab in Moscow.

Kaspersky did not respond to repeated requests for comment.

Kaspersky began selling antivirus and security software in the United States in 2005, and the company’s malware researchers have earned accolades from the security community for many important discoveries over the years. But in September 2017, the Department of Homeland Security (DHS) barred U.S. federal agencies from using Kaspersky software, mandating its removal within 90 days.

Cybersecurity reporter **Kim Zetter** notes that DHS didn’t cite any specific justification for its ban in 2017, but media reports quoting anonymous government officials referenced two incidents. Zetter wrote:

> According to one story, an NSA contractor developing offensive hacking tools for the spy agency had Kaspersky software installed on his home computer where he was developing the tools, and the software detected the source code as malicious code and extracted it from his computer, as antivirus software is designed to do. A second story claimed that Israeli spies caught Russian government hackers using Kaspersky software to search customer systems for files containing U.S. secrets.
> 
> Kaspersky denied that anyone used its software to search for secret information on customer machines and said that the tools on the NSA worker’s machine were detected in the same way that all antivirus software detects files it deems suspicious and then quarantines or extracts them for analysis. Once Kaspersky discovered that the code its antivirus software detected on the NSA worker’s machine were not malicious programs but source code in development by the U.S. government for its hacking operations, CEO Eugene Kaspersky says he ordered workers to delete the code.

Last year, the U.S. Commerce Department banned the sale of Kaspersky software in the U.S. effective July 20, 2024. U.S. officials argued the ban was needed because Russian law requires domestic companies to cooperate in all official investigations, and thus the Russian government could force Kaspersky to secretly gather intelligence on its behalf.

Phishing data gathered last year by the **Interisle Consulting Group** ranked hosting networks by their size and concentration of spambot hosts, and found Prospero had a higher spam score than any other provider by far.

AS209030, owned by Kaspersky Lab, is providing connectivity to the bulletproof host Prospero (AS200593). Image: cidr-report.org.

It remains unclear why Kaspersky is providing transit to Prospero. **Doug Madory**, director of Internet analysis at **Kentik**, said routing records show the relationship between Prospero and Kaspersky started at the beginning of December 2024.

Madory said Kaspersky’s network appears to be hosting several financial institutions, including Russia’s largest — **Alfa-Bank**. Kaspersky sells services to help protect customers from distributed denial-of-service (DDoS) attacks, and Madory said it could be that Prospero is simply purchasing that protection from Kaspersky.

But if that is the case, it doesn’t make the situation any better, said **Zach Edwards**, a senior threat researcher at the security firm **Silent Push**.

“In some ways, providing DDoS protection to a well-known bulletproof hosting provider may be even worse than just allowing them to connect to the rest of the Internet over your infrastructure,” Edwards said.

Notorious Malware, Spam Host “Prospero” Moves to Kaspersky Lab

A new malware campaign has been observed targeting edge devices from Cisco, ASUS, QNAP, and Synology to rope them into a botnet named PolarEdge since at least the end of 2023.
French cybersecurity company Sekoia said it observed the unknown threat actors leveraging CVE-2023-20118 (CVSS score: 6.5), a critical security flaw impacting Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and

PolarEdge Botnet Exploits Cisco and Other Flaws to Hijack ASUS, QNAP, and Synology Devices

A botnet of 130,000 devices is launching a Password-Spraying attack on Microsoft 365, bypassing MFA and exploiting legacy authentication to access accounts.

A new botnet-powered cyber attack is putting Microsoft 365 users at risk. Security researchers at SecurityScorecard have reported that over 130,000 compromised devices are being used to launch coordinated password-spraying attacks against Microsoft 365 accounts.

****What’s Happening?****

Instead of relying on the usual login mechanisms that trigger alerts through repeated failed attempts, the attackers are using non-interactive sign-ins for their campaigns. This method is normally meant for automated processes or background services and does not invoke the usual MFA checks. As a result, suspicious activities may go unnoticed by security monitoring systems that focus on standard user log-ins.

What’s more, attackers are making systematic attempts using stolen credentials from infostealer logs. Their approach targets a wide range of Microsoft 365 tenants, affecting organizations from financial services, healthcare, government, technology firms, and educational institutions.

****How the Attack Works****

*   **Non-Interactive Sign-Ins:** The attackers perform sign-in attempts that do not trigger immediate account lockouts or alerts. Since these log-ins are not interactive, they often escape the notice of standard monitoring tools.

*   **Basic Authentication Abuse:** By exploiting legacy Basic Authentication protocols, attackers send user credentials without encryption. This leaves accounts more exposed compared to modern authentication methods.

*   **Command and Control Coordination:** Evidence shows that attackers are coordinating their efforts through six command-and-control (C2) servers. These servers communicate with thousands of infected devices and are supported by proxy services from well-known cloud providers with ties to China. Analysis of the network traffic has revealed several open ports on these servers, which are likely used for tasks such as managing the botnet and sending instructions to the compromised devices.

According to SecurityScorecard’s report, this is concerning for organizations relying on Microsoft 365, as they face multiple risks. Unauthorized account access can expose sensitive emails, documents, and collaboration tools to attackers. Service disruptions may occur due to repeated login attempts, leading to account lockouts that interrupt daily operations.

Additionally, once in control, cybercriminals can misuse compromised accounts for phishing campaigns or move laterally within the organization, further escalating security threats. Because the attack exploits non-interactive sign-ins, teams that monitor just the usual interactive log-in events might miss these suspicious activities. Updating security monitoring to include non-interactive log events is an important step for organizations using Microsoft 365.

Security teams are encouraged to review sign-in logs carefully. Paying attention to non-interactive log entries and suspicious login attempts can help spot this kind of unwanted activity.

Organizations should audit background service accounts by identifying those using Basic Authentication and updating any exposed credentials found in non-interactive sign-in logs. It’s also crucial to review authentication methods and transition from legacy protocols to modern authentication practices that fully support MFA.

Additionally, monitoring for unusual traffic, such as abnormal login patterns or connections from IP addresses associated with command and control servers, can help detect and mitigate potential security threats.

With Microsoft planning to fully retire certain Basic Authentication protocols later this year, now is a good time for organizations to strengthen their protection against these kinds of covert attacks.

Jason Soroko, Senior Fellow at Sectigo, a Scottsdale, Arizona-based provider of comprehensive certificate lifecycle management (CLM), offers valuable insights into securing non-interactive logins in Microsoft 365.

“Non-interactive logins are widespread in Microsoft 365, driven by service accounts, automated tasks, and API integrations,” Soroko explains. “They often represent a significant portion of overall authentication events, as background processes routinely access resources without direct user input.”

Unlike interactive user authentication, Multi-Factor Authentication (MFA) isn’t typically applicable to non-interactive logins. “Instead, these automated logins should use alternative secure mechanisms such as certificates, or other forms of non-shared managed identities,” Soroko advises. “Organizations should better secure non-interactive access with conditional access policies, strict credential management, and continuous monitoring.”

Microsoft 365 offers configurations to restrict non-interactive logins. “Administrators can enforce stronger authentication via conditional access policies and block legacy protocols that facilitate these silent sign-ins,” Soroko notes. “However, such restrictions must be applied thoughtfully to avoid disrupting legitimate automated processes.”

Botnet of 130K Devices Targets Microsoft 365 in Password-Spraying Attack

Several government departments are investigating TP-Link routers over Chinese cyberattack fears, but the company denies links.

If you buy something using links in our stories, we may earn a commission. This helps support our journalism. Learn more. Please also consider subscribing to WIRED

TP-Link is one of the most popular router manufacturers in the US, but the company is facing a potential ban due to security concerns about its links to China. A December report from The Wall Street Journal revealed that the US Commerce, Defense, and Justice Departments are investigating TP-Link, though no evidence of deliberate wrongdoing has yet emerged.

“We are a US company,” Jeff Barney, president of TP-Link told WIRED, “We have no affiliation with TP-Link Tech, which focuses on mainland China, and we can prove our separateness.”

The investigation was sparked by a letter from John Moolenaar, a Republican for Michigan, and Raja Krishnamoorthi, a Democrat of Illinois. Both are on the House Select Committee on the Strategic Competition Between the United States and the Chinese Communist Party. They outlined concerns that Chinese state-sponsored hackers may be able to compromise TP-Link’s routers more easily than other brands and thereby infiltrate US systems, and that TP-Link is subject to Chinese law, meaning it can be forced to hand over sensitive US information by Chinese intelligence officials.

Photograph: Simon Hill

TP-Link was founded in China in 1996 by two brothers, and TP-Link USA was established in 2008. It wasn’t until 2022 that the Chinese and US wings began to split. The process of moving the 170 subsidiaries and all the related ownership out of Hong Kong and into the United States was delayed by the pandemic, says Barney, but it was divested and restructured by 2024.

TP-Link now has headquarters in California and Singapore and manufactures in Vietnam. It researches, designs, develops, and manufactures everything except chipsets in-house, according to Barney. “Our entities in China are governed directly by us, our employees badged by us, secured by us, in our own facilities.” He also says TP-Link has shared documentation with investigators and that its factory in Vietnam was audited by US retail partners like Walmart, Best Buy, and Costco.

“Everybody has a Nexus in China,” Barney says. He claims that American rival Netgear uses Chinese ODMs (original device manufacturers) to build its products and that even Apple relies on manufacturing in China. Netgear says its routers are manufactured in Taiwan, Vietnam, and Thailand, not China.

**Competition Concerns**

The WSJ report suggests that TP-Link has a leading 64.9 percent share of the US router market, but TP-Link disputes this. The company claims its share hovered around 20 percent for the last few years, but jumped to a 36.5 percent unit share and a 30.7 percent dollar share in 2024. But even TP-Link’s lower estimate shows a company in the ascendancy. This dominance has been driven by aggressively low prices and a relatively early roll-out of Wi-Fi 7 routers, perceived by some as a concerted effort to flood the US market.

“Technology should not be exorbitant,” Barney says. “We're trying to democratize these products.”

However, the wide product range raises questions, with many wondering how TP-Link can profit from routers sold at such low prices compared to the competition. Former CNET reviewer Dong Ngo explores this point on the in-depth router review website, Dong Knows.

Concerns about the links between Chinese companies and its government are nothing new. The ban on Huawei’s networking equipment and US sanctions came after years of cybersecurity concerns and intellectual property lawsuits brought by US companies. The TikTok ban is not being enforced by President Donald Trump’s administration, but owner ByteDance is still under pressure to divest its US operations. These situations can be tricky for the average person to navigate because the lines between shoddy security, Chinese espionage, US protectionism, and the growing trade war are distinctly blurry and are not mutually exclusive.

It’s no secret that US competitor Netgear has been lobbying the US government on “cybersecurity and strategic competition with China.” Netgear has had a tough couple of years after adopting a premium pricing strategy that did not resonate with consumers. It has also been embroiled in litigation against TP-Link for patent infringement, resulting in TP-Link paying a $135 million settlement in September 2024.

**Are TP-Link Routers Secure?**

TP-Link has signed CISA’s “Secure by Design” pledge and is part of the Technical Exchange Group. It has a vulnerability disclosure program, where independent researchers and the security community can report potential issues to security@tp-link.com. It claims report response time was 8.4 days on average in 2023, with patches released in an average of 38.5 days. The company is also planning to launch a bug bounty program.

Barney claims TP-Link’s rate of vulnerabilities per product is significantly lower than many of its peers, including Netgear and Cisco, citing public data collected by Finite State, an independent US cybersecurity company, from CVE Details, VulDB, and CISA (Cybersecurity and Infrastructure Security Agency), but not everyone agrees.

“TP-Link does not have a great reputation for patching vulnerabilities or working with security researchers, which does raise alarm bells,” Pieter Arntz, malware intelligence researcher for Malwarebytes told WIRED via email.

Photograph: TP-Link; Data Source: U.S. Cybersecurity and Infrastructure Security Agency

TP-Link was criticized in a recent Microsoft report over a “password spraying” hack that mostly impacted its routers, and the report suggested Chinese “nation-state threat actor activity.” Barney says these were end-of-service products and that Asus and Netgear routers were also impacted.

Other incidents include a Check Point Research exposé of a malicious firmware implant for TP-Link routers, linked to a Chinese state-sponsored “advanced persistent threat” group dubbed “Camaro Dragon.” Cyfirma researchers also found TP-Link router vulnerabilities for sale on underground forums.

“It’s also a challenge because regardless of the home router vendor, there will always be vulnerabilities found,” Arntz says.

A part of the problem with older routers is that the onus is often on the user to download and install updates, and this is rarely automatic or as simple as clicking on “update,” which means many patches are never installed, creating vulnerable devices for any savvy cybercriminals or nation-states. Even months after TP-Link released patches for a vulnerability on its popular Archer AX21 router, hackers continue to scan for and exploit it on unpatched routers.

These security concerns are moot in the face of built-in backdoors. Backdoors can be pieces of code or even hardware added to the circuit board that enables remote parties to gain access and potentially control the device. There’s no evidence that TP-Link devices have backdoors, but, as Ngo points out, when you use an online account with your router, you are already giving the company access through the front door. Whether remote connectivity is justified by the need for automatic software updates, remote control access, or other features for users, it effectively gives the manufacturer access to your router.

**Should You Worry?**

Ultimately, the concern isn’t so much about the Chinese government or other malicious actors spying on your web browsing habits—though that is possible—it’s the idea they might employ your router as a part of a botnet to launch a cyberattack on a US government agency or major service provider.

The NSA has been concerned about Chinese hackers for some time now, and China's Salt Typhoon spies continue to infiltrate US internet service providers and telecommunications companies. Speaking on the _NatSec Tech_ podcast recently, former special assistant to the president and cybersecurity coordinator on the US National Security Council, Rob Joyce, likened TP-Link routers to a Trojan Horse and suggested China is pre-positioning for a potentially devastating attack on US infrastructure.

While some cybersecurity experts suggest a ban is imminent, Barney is confident that TP-Link routers won’t be banned. Investigations are ongoing. Even if the government doesn't find anything or decides against a ban, it won’t publicly clear TP-Link. It’s more likely the investigation will fade from the news.

Photograph: Simon Hill

For owners of a TP-Link router or anyone considering buying one, it all boils down to trust. We've tested and recommend several TP-Link routers and Deco mesh systems in our buying guides because they offer good value and great performance. But we continually update our guides and will monitor the situation before deciding whether we need to reconsider those recommendations.

There’s no easy fix because all the major router manufacturers have issues with vulnerabilities, and most of them require you to use an online account. You can go down the rabbit hole with router security, or seek out security-focused brands like Firewalla, but expect to pay more for your equipment in both time and money.

Even if you stick with what you have, there are steps you can take to be more secure online. We recommend using a VPN service and learning a little about router settings. Malwarebytes’ Arntz says the most secure router is the one on which you are comfortable changing the settings: credentials, firewall options, and especially installing updates.

Here’s his advice for home TP-Link router owners who are concerned:

*   First, update your login credentials. Ensure you have moved away from the default login credentials set by the router manufacturer (or internet provider). Make this password different from your Wi-Fi name and password. And remember, length equals strength when it comes to passwords.
*   Second, patch your device and set a reminder to check regularly for firmware updates.
*   Third, turn on the firewall and Wi-Fi encryption. You can find these settings by logging into your router from its app or website.
*   Finally, consider purchasing a new router from a different vendor with a less problematic history.

TP-Link also manufactures a wide range of smart home devices marketed under the Tapo brand, including everything from security cameras to water leak detectors. These are not part of the current investigation, which seems to be focused solely on routers. TP-Link says it has applied to the FCC’s Cyber Trust Mark program administered by UL Solutions, which ensures that internet-of-things devices are tested and labeled secure. Sadly, there is no such program for routers.

The US Is Considering a TP-Link Router Ban—Should You Worry?

Massive 1.17 TB data leak exposes billions of records from a Chinese IoT grow light company. Wi-Fi passwords,…

Massive 1.17 TB data leak exposes billions of records from a Chinese IoT grow light company. Wi-Fi passwords, IP addresses, and device IDs are among the exposed data. Learn more.

A large, unprotected database belonging to Mars Hydro, a company specializing in IoT grow lights (Internet of Things Grow Lights) and agricultural software, was discovered by cybersecurity researcher Jeremiah Fowler.

The database, containing a whopping 2.7 billion records totalling 1.17 terabytes, exposed a treasure trove of sensitive information, including Wi-Fi network names (SSIDs), passwords, IP addresses, device IDs, email addresses, and more.  

According to Fowler’s blog post for vpnMentor which the company shared with Hackread.com ahead of publishing on Wednesday 12th February 2025, within the database, folders labelled for logging, monitoring, and error records of IoT devices worldwide were found. 

Sample analysis revealed over 100 million records across 13 folders, containing not only Wi-Fi network names but also their corresponding passwords, along with IP addresses and unique device identifiers.  Interestingly, the data also seemed to link to the control devices, such as smartphones, used to manage these IoT products, revealing information about operating systems (e.g. iOS and Android).

Further investigation linked the database to LG-LED SOLUTIONS LIMITED, a California-registered company.  API details and URLs associated with LG-LED SOLUTIONS, Mars Hydro, and Spider Farmer- all involved in the manufacturing and sale of agricultural grow lights, fans, and cooling systems- were also present in the exposed data.  Numerous records were specifically labelled as “Mars-pro-iot-error” or “SF-iot-error,” suggesting a connection to these specific product lines.  

Fowler also found error logs containing potentially sensitive information, including tokens, application versions, device types, and IP addresses, in addition to the Wi-Fi credentials. 

Following the discovery, Fowler promptly notified LG-LED SOLUTIONS and Mars Hydro, leading to the database being secured within hours. Mars Hydro, identified as a Shenzhen, China-based LED grow light manufacturer with warehouses in the UK, US, and Australia, confirmed to Fowler that the Mars Pro app is their official product. 

Nevertheless, questions remain regarding the database’s ownership, management, and the duration of its exposure. It is unclear if the database was managed directly by LG-LED SOLUTIONS or a third-party contractor. A thorough forensic audit would be required to determine the extent of any unauthorized access, Fowler noted in the blog post.

The Mars Pro app and connected devices have been exposing vast amounts of information. Such lapses can lead to misuse, like surveillance, man-in-the-middle attacks, and manipulation. The recently reported Matrix hacker group is a prime example of the ongoing exploitation of exposed IoT devices for DDoS botnets.

Additionally, studies indicate that a significant percentage of IoT devices (57%) are highly vulnerable, with a majority of transmitted data (983%) being unencrypted. To mitigate these risks, IoT device makers and app developers must prioritize data protection, avoid plain text logging, use encryption, secure internal cloud storage, and conduct regular security audits and penetration testing.

.

Tag

#botnet