Divya
2025-07-25 04:24:00
gbhackers.com
Cybersecurity researchers have uncovered a sophisticated botnet operation exploiting VoIP-enabled routers through default password attacks, with initial activity concentrated in rural New Mexico before expanding globally to compromise approximately 500 devices.
The discovery began when GreyNoise Intelligence engineers noticed an unusual cluster of malicious IP addresses originating from a sparsely populated region of New Mexico with just over 3,000 residents.
Upon investigation, researchers found that roughly 90 IP addresses were all connected to the Pueblo of Laguna Utility Authority, exhibiting coordinated botnet behavior through Telnet-based attacks.
Coordinated Attack Pattern Emerges
The compromised systems displayed multiple concerning characteristics, including telnet brute-forcing capabilities, generic IoT default password attempts, and behavior consistent with Mirai botnet variants.

Analysis revealed that 100% of the malicious traffic from this region was Telnet-based, suggesting attackers were systematically targeting devices with weak authentication protocols.
Using artificial intelligence-powered analysis tools and packet capture data, researchers determined that many of the affected systems were VoIP-enabled devices, with evidence pointing to hardware from Cambium Networks being involved in portions of the activity.
The investigation revealed a unique network signature affecting 90% of traffic from the compromised infrastructure, indicating similar hardware configurations across the botnet.
Following the New Mexico cluster discovery, researchers expanded their investigation worldwide, identifying approximately 500 IP addresses exhibiting similar attack patterns.
These systems demonstrated high-volume Telnet login attempts using weak credentials, aggressive scanning behavior, and characteristics aligned with known Mirai botnet operations.
VoIP devices present attractive targets for cybercriminals due to several factors: they frequently operate on outdated Linux-based firmware, often have Telnet services exposed by default, and typically receive minimal security monitoring or patch management.
Some Cambium router models may still be running firmware versions vulnerable to a remote code execution flaw first disclosed in 2017.
In an unusual development, the malicious activity from the New Mexico utility completely ceased shortly after a GreyNoise team member briefly mentioned the investigation on social media.
Whether coincidental or indicating that attackers monitor security research discussions, the traffic stoppage was immediate and complete.
However, global botnet activity resumed shortly thereafter, suggesting the operation merely shifted tactics rather than shutting down.
Security experts recommend several immediate actions for organizations potentially affected by this botnet campaign.
Network administrators should audit Telnet exposure on VoIP-enabled systems, rotate or disable default credentials on edge devices, and implement monitoring for unusual outbound traffic patterns.
The incident highlights ongoing vulnerabilities in internet-connected devices and demonstrates how small utilities and internet service providers can unknowingly contribute infrastructure to global cybercriminal operations.
Organizations should prioritize firmware updates and disable unnecessary services on VoIP equipment to prevent similar compromises.
Get Free Ultimate SOC Requirements Checklist Before you build, buy, or switch your SOC for 2025 - Download Now
Keep your files stored safely and securely with the SanDisk 2TB Extreme Portable SSD. With over 69,505 ratings and an impressive 4.6 out of 5 stars, this product has been purchased over 8K+ times in the past month. At only $129.99, this Amazon’s Choice product is a must-have for secure file storage.
Help keep private content private with the included password protection featuring 256-bit AES hardware encryption. Order now for just $129.99 on Amazon!
Help Power Techcratic’s Future – Scan To Support
If Techcratic’s content and insights have helped you, consider giving back by supporting the platform with crypto. Every contribution makes a difference, whether it’s for high-quality content, server maintenance, or future updates. Techcratic is constantly evolving, and your support helps drive that progress.
As a solo operator who wears all the hats, creating content, managing the tech, and running the site, your support allows me to stay focused on delivering valuable resources. Your support keeps everything running smoothly and enables me to continue creating the content you love. I’m deeply grateful for your support, it truly means the world to me! Thank you!
BITCOIN bc1qlszw7elx2qahjwvaryh0tkgg8y68enw30gpvge Scan the QR code with your crypto wallet app |
DOGECOIN D64GwvvYQxFXYyan3oQCrmWfidf6T3JpBA Scan the QR code with your crypto wallet app |
ETHEREUM 0xe9BC980DF3d985730dA827996B43E4A62CCBAA7a Scan the QR code with your crypto wallet app |
Please read the Privacy and Security Disclaimer on how Techcratic handles your support.
Disclaimer: As an Amazon Associate, Techcratic may earn from qualifying purchases.