US Seizes Infrastructure Behind Four IoT Botnets Responsible for Millions of DDoS Attacks
What Happened — The U.S. Department of Justice, in coordination with German and Canadian law‑enforcement, seized dozens of domains, virtual servers, and command‑and‑control (C2) infrastructure used by the Aisuru, KimWolf, JackSkid and Mossad botnets. These botnets leveraged roughly three million compromised Internet‑of‑Things (IoT) devices to launch over 300 000 DDoS attack commands, causing widespread service outages and financial losses for victims.
Why It Matters for TPRM —
- Large‑scale botnets can be rented by threat actors to disrupt or extort third‑party services, exposing your supply chain to downtime.
- IoT‑based botnets often infiltrate devices behind firewalls, highlighting gaps in vendors’ network segmentation and asset inventory.
- The seizure demonstrates that law‑enforcement can rapidly dismantle infrastructure, but residual compromised devices may remain in use.
Who Is Affected — Technology/SaaS providers, financial services, healthcare, retail, and any organization relying on internet‑facing services or third‑party cloud/CDN providers.
Recommended Actions —
- Review all third‑party contracts for DDoS mitigation clauses and verify that providers employ bot‑net detection and traffic‑scrubbing services.
- Conduct an inventory of IoT assets within your vendor ecosystem and ensure they are patched, segmented, and monitored.
- Test incident‑response playbooks for DDoS scenarios, including coordination with law‑enforcement and upstream providers.
Technical Notes — The botnets exploited insecure IoT devices (cameras, routers, streaming boxes) via default credentials and firmware vulnerabilities, then sold access to cyber‑criminals for DDoS or as a cover for other illicit activity. No specific CVE was cited. Source: The Record