Takedown Analysis: Aisuru, Kimwolf, JackSkid, and Mossad Botnets
Just saw the breaking news regarding the DOJ’s coordinated action with Canada and Germany to dismantle four major IoT botnets. It’s a significant win, especially considering these botnets—Aisuru, Kimwolf, JackSkid, and Mossad—controlled over 3 million devices. While the disruption is great news, it doesn't solve the root problem: the sheer number of routers and webcams exposed to the internet with default credentials.
From a defensive perspective, we often see that these devices are compromised due to well-known vulnerabilities or simple brute-force attacks on Telnet/SSH. Once infected, they become part of the DDoS cannon. For those managing large networks, simply banning IoT devices from the main VLAN is usually the first step.
If you need to audit your edge devices for open administrative interfaces that shouldn't be exposed, I recommend a targeted scan. Here is a quick Nmap snippet to check for common Telnet ports often abused by these Mirai-derivatives:
nmap -sV -p 23,2323,80,8080,443,5555 --script auth,banner
Additionally, keep an eye on your NetFlow or firewall logs for massive spikes in UDP traffic to random destinations, which is a hallmark of DDoS reflection attacks.
For those of you dealing with BYOD or IoT in corporate environments, how are you handling segmentation? Are you relying on NAC (Network Access Control), or are you just throwing everything into a dedicated 'junk' VLAN?
We've been using a dedicated 'Untrusted' VLAN for all IoT gear—printers, cameras, smart thermostats. The VLAN has no access to the internal LAN and can only reach out via DNS, NTP, and HTTPS to specific update servers. It's the only way to sleep at night knowing that a compromised webcam won't pivot to a domain controller.
Great post. From a pentester's view, Shodan is still terrifying. You can find thousands of these devices exposing Telnet (port 23) publicly. Even after takedowns, the worm-like nature of this malware means they reinfect quickly if the firmware isn't updated. Vendors need to be held accountable for devices that are impossible to patch.
The KQL query below is helpful if you're using Azure Sentinel or Microsoft Defender for IoT to spot lateral movement from these devices:
DeviceNetworkEvents
| where ActionType == "InboundAllowed"
| where RemotePort in (23, 2323)
| summarize Count = count() by DeviceName, RemoteIP
| where Count > 100
This helps identify devices acting as bots or C2 beacons calling home frequently.
Verified Access Required
To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.
Request Access