Federal authorities dismantled four botnets controlling over three million compromised IoT devices last week, exposing a fundamental misalignment between how organizations secure networks and how attackers actually weaponize them. The Aisuru, Kimwolf, JackSkid and Mossad botnets orchestrated record-breaking DDoS attacks not through sophisticated zero-days or advanced persistent threats, but by exploiting the same predictable IoT vulnerabilities that security teams have deprioritized for years. This disconnect between perceived and actual risk surfaces a broken assumption: that IoT devices represent a manageable edge case rather than critical attack infrastructure.

Asset Inventories Miss What Attackers Actually Target

Security teams build asset inventories by cataloging devices they purchased and deployed. This approach captures servers, workstations, and managed endpoints while systematically excluding the shadow IoT infrastructure that powers modern attacks. The three million devices in these botnets were not exotic targets. They were consumer routers running outdated firmware, IP cameras with default credentials, and network video recorders exposed through UPnP.

Attackers scan for devices by service fingerprints, not procurement records. They target Realtek SDK implementations vulnerable to CVE-2021-35395, not specific router models. They exploit devices running BusyBox with exposed Telnet, not entries in your CMDB. The gap between what defenders inventory and what attackers compromise explains why botnets achieve scale while organizations claim strong asset management.

Traditional discovery tools probe RFC1918 space and known subnets. Botnet operators scan the entire IPv4 space for specific service banners. When a contractor installs a wireless camera system that auto-configures port forwarding, it exists in the attacker's inventory before it appears in yours. The same logic that makes shadow IT a governance problem makes shadow IoT an attack surface problem, except IoT devices ship with remote code execution vulnerabilities instead of just compliance gaps.

Network Segmentation Breaks Against Devices Designed to Bridge Networks

Organizations segment IoT devices into isolated VLANs believing this contains the blast radius of compromise. This strategy assumes IoT devices behave like traditional endpoints that require lateral movement to impact other systems. Modern IoT malware demonstrates why this assumption fails.

The Mirai variant that powered these botnets includes modules specifically designed to bypass network segmentation. Once infected, devices scan local subnets for additional targets using protocols like ARP and SSDP that segmentation explicitly allows. They establish command and control through DNS tunneling, bypassing egress controls. Most critically, they turn segmented devices into pivot points by exploiting their legitimate network bridging functions.

Consider how a compromised IP camera typically operates. It maintains connections to cloud management platforms, local NVR systems, and often includes P2P functionality for remote access. Each connection represents a potential pivot path that exists by design. When malware compromises the device, it inherits these legitimate communication channels. The segmentation that was supposed to contain the device becomes the very mechanism that enables lateral movement.

MITRE ATT&CK technique T1098.004 (SSH Authorized Keys) appears in modern IoT malware specifically to establish persistence across network boundaries. Attackers do not need to break out of your IoT VLAN when the devices themselves are designed to communicate across segments. The architectural assumption that network boundaries contain compromise fails when the compromised assets exist specifically to bridge those boundaries.

Detection Strategies Assume IoT Devices Generate Predictable Traffic

Security teams deploy network behavior analytics expecting to detect anomalous IoT activity through baseline deviations. This approach works for servers with predictable communication patterns but fails against IoT devices that exhibit chaotic network behavior by default. A smart thermostat contacting new cloud endpoints, a camera increasing its bandwidth usage, or a router making additional DNS queries all fall within normal operational parameters.

The botnets dismantled by federal authorities generated massive DDoS traffic by having each device contribute small amounts of bandwidth. A compromised camera sending an extra 50 Mbps of traffic during an attack blends into the noise of legitimate video streaming. Multiply this across millions of devices and you have record-breaking attack capacity that remains invisible at the individual device level.

Modern IoT malware further evades detection by mimicking legitimate traffic patterns. The Kimwolf botnet used a technique where infected devices would encode command and control traffic within legitimate DNS queries to common domains. From a network monitoring perspective, a compromised device looks identical to a legitimate one checking for firmware updates or synchronizing with cloud services.

Behavioral detection assumes you can distinguish between normal and abnormal. IoT devices break this assumption by having no consistent normal. They update at random intervals, contact new endpoints as services migrate, and generate traffic spikes based on environmental triggers. The same variability that makes IoT devices difficult to manage makes them perfect cover for malicious activity. When everything looks anomalous, nothing does.

Most Organizations Calculate IoT Risk by Evaluating What Attackers Could Do to Their Business Through Compromised Devices

That framing misses the liability exposure that comes from what attackers do to others using your devices as infrastructure. When the next coordinated DDoS attack disrupts critical services, the question will not be whether your IoT devices were targets. It will be whether they were participants.

The four botnets dismantled last week will be replaced. The vulnerabilities that built them have not changed, and neither has the calculus that makes IoT devices attractive to botnet operators: massive scale, minimal defenses, and owners who never know they're participants. Reducing that exposure starts with knowing what's on your network — including what your current tools aren't finding. Get started with Sprocket's ASM Community Edition today for full visibility from an attacker's point of view.