Protect.Computer
NEWS

Feds disrupt major IoT DDoS botnets after record-smashing attacks

· 1 min read · Network safety Device safety
Feds disrupt major IoT DDoS botnets after record-smashing attacks

Photo by protect.computer (custom alert graphic) on protect.computer

What happened

U.S. authorities, with support from Canada and Germany, disrupted infrastructure tied to four large IoT botnets: Aisuru, Kimwolf, JackSkid, and Mossad.

According to public reporting, the botnets were used for large-scale distributed denial-of-service (DDoS) activity, including extortion-linked attacks and repeated attacks against government-linked targets.

Why this matters

This operation reduces immediate attack capacity, but does not eliminate the broader risk:

  • vulnerable internet-facing devices are still widely exposed,
  • copycat botnets can rapidly reuse the same exploitation paths,
  • takedowns often cause short-term disruption before infrastructure is rebuilt.

For organizations running edge appliances, cameras, or older routers, this is a strong signal to validate hardening now.

How to check if you’re affected

  1. Inventory exposed devices
    • Identify externally reachable routers, IP cameras, NVRs, and remote admin interfaces.
  2. Check for outdated firmware and default credentials
    • Confirm vendor firmware is current and default/admin passwords are removed.
  3. Review logs for DDoS/botnet behavior
    • Look for unusual outbound traffic spikes, repeated failed login patterns, and unexplained process restarts.
  4. Audit remote management settings
    • Disable WAN-side management unless strictly required; enforce MFA where supported.
  5. Hunt for known IoT compromise indicators
    • Correlate alerts with known botnet scanning/exploit traffic patterns from your IDS/IPS and firewall telemetry.

What to do next

  • Patch or replace unsupported IoT/network devices.
  • Segment IoT hardware away from business-critical systems.
  • Rate-limit and geo-restrict management interfaces.
  • Enable always-on monitoring for unusual outbound connections.

Sources

Bottom line

The takedown is meaningful, but defenders should treat it as a limited-time advantage. If vulnerable IoT devices remain exposed, replacement botnets can fill the gap quickly.

Related reading

News
Joint Advisory Warns of Chinese Threat Actors Using Covert SOHO Networks

International cybersecurity agencies warn that China-nexus actors are hijacking small office/home office (SOHO) routers to build massive covert networks.

News
Cisco IMC auth bypass (CVE-2026-20093) can let attackers take admin control

Cisco says a critical IMC flaw can let unauthenticated attackers bypass auth, reset passwords, and log in as admin on vulnerable UCS servers.

News
OpenSSH 10.3 fixes security flaws, including SSH client command-injection risk

OpenSSH 10.3 patches multiple security issues, including a case where adversary-controlled usernames could trigger shell command execution in certain ssh client configurations.

News
Over 14,000 F5 BIG-IP APM systems still exposed after active CVE-2025-53521 exploitation alerts

F5 BIG-IP APM CVE-2025-53521 is in CISA KEV and confirmed exploited; thousands of internet-facing systems remain exposed, making patch verification urgent.