Unauthorized Accesses to Cisco Small Business Routers, Linksys, and Araknis Result in Increased Scans
In August 2025, a significant IoT botnet attack has been identified, targeting small business routers from Cisco Small Business RV series, Linksys LRT series, and Araknis Networks AN-300-RT-4L2W devices. The geographic distribution of the malicious traffic follows a pattern consistent with the market penetration of these targeted device models, with the United States leading in affected devices, though the campaign has achieved global reach.
Over 2,200 of these compromised routers are actively involved in malicious scanning activities as part of ongoing IoT botnet attacks. These devices, due to vulnerabilities and poor security practices like outdated firmware and default credentials, remain targets for attackers to conscript into IoT botnets. The botnets built from such compromised devices contribute to hundreds of DDoS events daily, with some attacks surpassing multiple terabits per second, as seen with large botnets like "Rapper Bot."
The attack infrastructure demonstrates sophisticated command and control (C2) capabilities, and the scanning behavior suggests the compromised devices are being used for potential target identification for lateral movement or data exfiltration. The malicious activities began escalating on July 30th, 2025.
Specifically, these router models have been compromised and exploited at scale in 2025, with attackers conducting scanning and brute-force attacks to expand botnets. The exploitation techniques include scanning for open ports, leveraging known CVEs, and brute forcing Telnet or admin access, reflecting tactics associated with Mirai variants and other IoT malware.
Network defenders should monitor for anomalous outbound traffic patterns from Cisco RV series routers (models including RV042, RV082, RV320, RV325), Linksys LRT series devices, and Araknis Networks equipment. Security teams are advised to correlate internal network logs with Shadowserver's IP reputation feeds and configure intrusion detection systems (IDS) to alert on suspicious outbound scanning activities originating from network infrastructure devices.
The highest concentration of malicious traffic originates from IP address ranges associated with small and medium businesses. The botnet operators are leveraging compromised routers to perform HTTP GET requests and port scanning activities, with a focus on web application endpoints vulnerable to exploitation. The Shadowserver Foundation's honeypot data shows scanning activities targeting TCP ports 80, 443, 8080, and 8443.
Mitigation requires patching, disabling Telnet, changing default administrative credentials, and active monitoring. Organizations operating affected device models should immediately implement firmware updates, change default administrative credentials, and deploy network segmentation to limit potential lateral movement. The ongoing campaign highlights the critical importance of IoT security hygiene and proactive vulnerability management for network infrastructure components.
Read also:
- Deep Hole Drilling Industry Forecasted to Expand to a Value of $1,108.2 Million by 2034 at a Compound Annual Growth Rate of 5.8%
- Embracing the Digital Supply Chain: The Internet of Things (IoT) Arrives
- Thousands of New Hires at Tesla for Speedy Semi-Truck Manufacturing in Nevada: Source Claims
- Guide on Integrating Digital Replicas in Manufacturing Processes
