GreyNoise researchers have uncovered a sophisticated global botnet targeting Voice over Internet Protocol (VOIP) devices after discovering an unusual concentration of malicious internet traffic emanating from a small rural community in New Mexico with just over 3,000 residents.
Unusual Geographic Clustering Triggers Investigation
The investigation began when a GreyNoise engineer noticed an anomalous cluster of malicious IP addresses concentrated in a single rural New Mexico region during routine telemetry monitoring.
This geographic concentration was highly unusual for typical botnet activity, which normally distributes across wide geographic areas to avoid detection.
The initial investigation focused on IP address 137.118.82.76, which exhibited multiple concerning characteristics, including telnet brute-force attempts, generic IoT default password attacks, and signatures consistent with the notorious Mirai botnet.
Further analysis revealed approximately 90 malicious IP addresses in the same region, all connected to the Pueblo of Laguna Utility Authority network.
AI-Powered Analysis Reveals VOIP Connection
Researchers employed advanced investigative techniques, including GreyNoise’s Model Context Protocol server powered by artificial intelligence, to accelerate their analysis.
The AI-assisted investigation, combined with infrastructure data from Censys and packet capture analysis, confirmed that many compromised systems were VOIP-enabled devices, with evidence suggesting involvement of Cambium Networks hardware.
The investigation revealed a unique digital fingerprint – a JA4t signature of “5840_2-4-8-1-3_1460_1” – present in 90% of the traffic from the affected ISP, indicating similar hardware configurations across compromised hosts.
Global Pattern Emerges
Expanding their investigation globally, researchers identified approximately 500 IP addresses worldwide exhibiting similar behavioral patterns, including telnet login attempts using weak credentials, high session volumes, and scanning behavior aligned with known Mirai variants.
VOIP devices represent attractive targets for cybercriminals because they frequently operate on outdated Linux-based firmware with telnet access enabled by default, are internet-facing, receive minimal monitoring, and are infrequently updated with security patches.
Sudden Traffic Cessation Raises Questions
In an intriguing development, malicious traffic from the New Mexico utility completely ceased shortly after a GreyNoise team member posted about the activity on social media.
While potentially coincidental, the timing suggests threat actors may actively monitor their exposure on security platforms.
Recommendations for Defenders
Security experts recommend organizations block identified malicious IP addresses, audit telnet exposure, particularly on VOIP systems, and rotate or disable default credentials on edge devices.
GreyNoise is developing enhanced dynamic IP blocklists to help defenders respond more rapidly to emerging threats.
This investigation demonstrates how seemingly localized security incidents can reveal broader global threat patterns, emphasizing the importance of continuous monitoring and analysis of internet traffic anomalies.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
%20(1).webp?w=1200&resize=1200,0&ssl=1&description=The investigation began when a GreyNoise engineer noticed an anomalous cluster of malicious IP addresses concentrated in a single rural New Mexico region during routine telemetry monitoring.){kind=link}