New VoIP Botnet Targets Routers Using Default Passwords

The discovery began when GreyNoise Intelligence engineers noticed an unusual cluster of malicious IP addresses originating from a sparsely populated region of New Mexico with just over 3,000 residents.

Upon investigation, researchers found that roughly 90 IP addresses were all connected to the Pueblo of Laguna Utility Authority, exhibiting coordinated botnet behavior through Telnet-based attacks.

Coordinated Attack Pattern Emerges

The compromised systems displayed multiple concerning characteristics, including telnet brute-forcing capabilities, generic IoT default password attempts, and behavior consistent with Mirai botnet variants.

Analysis revealed that 100% of the malicious traffic from this region was Telnet-based, suggesting attackers were systematically targeting devices with weak authentication protocols.

Using artificial intelligence-powered analysis tools and packet capture data, researchers determined that many of the affected systems were VoIP-enabled devices, with evidence pointing to hardware from Cambium Networks being involved in portions of the activity.

The investigation revealed a unique network signature affecting 90% of traffic from the compromised infrastructure, indicating similar hardware configurations across the botnet.

Following the New Mexico cluster discovery, researchers expanded their investigation worldwide, identifying approximately 500 IP addresses exhibiting similar attack patterns.

These systems demonstrated high-volume Telnet login attempts using weak credentials, aggressive scanning behavior, and characteristics aligned with known Mirai botnet operations.

VoIP devices present attractive targets for cybercriminals due to several factors: they frequently operate on outdated Linux-based firmware, often have Telnet services exposed by default, and typically receive minimal security monitoring or patch management.

Some Cambium router models may still be running firmware versions vulnerable to a remote code execution flaw first disclosed in 2017.

In an unusual development, the malicious activity from the New Mexico utility completely ceased shortly after a GreyNoise team member briefly mentioned the investigation on social media.

Whether coincidental or indicating that attackers monitor security research discussions, the traffic stoppage was immediate and complete.

However, global botnet activity resumed shortly thereafter, suggesting the operation merely shifted tactics rather than shutting down.

Security experts recommend several immediate actions for organizations potentially affected by this botnet campaign.

Network administrators should audit Telnet exposure on VoIP-enabled systems, rotate or disable default credentials on edge devices, and implement monitoring for unusual outbound traffic patterns.

The incident highlights ongoing vulnerabilities in internet-connected devices and demonstrates how small utilities and internet service providers can unknowingly contribute infrastructure to global cybercriminal operations.

Organizations should prioritize firmware updates and disable unnecessary services on VoIP equipment to prevent similar compromises.