A widespread botnet operation, leveraging VOIP-enabled routers and other devices configured with default credentials, has been identified globally. The uncovering of this sophisticated campaign commenced when security analysts observed an atypical concentration of malicious IP addresses in rural New Mexico. This finding ultimately led to the detection of around 500 compromised systems across the globe.
GreyNoise engineers pinpointed 90 malicious IP addresses from Pueblo of Laguna Utility Authority, New Mexico. This locale has a population of just over 3,000. Traffic from these systems was exclusively Telnet-based. It displayed attributes indicative of botnet activity, including tags like "Telnet Bruteforcer" and "Mirai."
AI-powered analysis via MCP server identified a distinct network fingerprint: JA4t signature 5840_2-4-8-1-3_1460_1. This signature accounted for 90% of observed malicious traffic, suggesting uniformity in hardware configurations. It points to deliberate, coordinated targeting of particular device models.
Analysis confirmed many impacted systems were VOIP-enabled devices, with Cambium Networks hardware implicated. These devices often run outdated Linux firmware, exposing Telnet services by default. This makes them prime targets for malicious actors.
Globally, 500 additional IP addresses showed comparable behavioral patterns. Compromised devices shared characteristics: Telnet login attempts with weak or default credentials. They also showed elevated session volumes and scanning consistent with Mirai botnet variants. VOIP devices are appealing targets due to internet exposure, minimal monitoring, and infrequent patching.
Some Cambium routers might use firmware vulnerable to a 2017 RCE flaw. Researchers couldn't confirm its exploitation. This campaign shows vulnerabilities persist. Threat actors opportunistically exploit systems long after public disclosure, whenever accessible.
Notably, when GreyNoise researchers briefly alluded to this activity on social media, traffic originating from the New Mexico utility abruptly ceased. However, it quickly surged again thereafter, indicating that the attackers are actively monitoring security community discussions.
In response, security experts advise organizations to promptly audit Telnet exposure on all VOIP-enabled systems, mandate the rotation or disablement of default credentials on edge devices, and deploy dynamic IP blocking mechanisms to counter these coordinated attacks effectively.
Experience faster, more accurate phishing detection and enhanced protection for your business with real-time sandbox analysis-> Try ANY.RUN now