A cooperative law enforcement operation undertaken by Dutch and U. S. authorities has dismantled a criminal proxy network that’s powered by thousands of infected Internet of Things ( IoT ) and end-of-life ( EoL ) devices, enlisting them into a botnet for providing anonymity to malicious actors.
In conjunction with the site arrest, Russian citizens, Alexey Viktorovich Chertkov, 37, Kirill Vladimirovich Morozov, 41, Aleksandr Aleksandrovich Shishkin, 36, and Dmitriy Rubtsov, 38, a Kazakhstani nationwide, have been by the U. S. Department of Justice ( DoJ) for operating, maintaining, and profiting from the proxy services.
The DoJ noted that people paid a monthly subscription fee, ranging from$ 9. 95 to$ 110 per month, netting the threat actors more than$ 46 million by selling access to the infected routers. The company is believed to have been available since 2004.
It even said the U. S. Federal Bureau of Investigation ( FBI ) found business and residential routers in Oklahoma that had been hacked to install malware without the users ‘ knowledge.
” A weekly average of 1,000 unique bots in contact with the command-and-control ( C2 ) infrastructure, located in Turkey,” Lumen Technologies Black Lotus Labs said in a shared with The Hacker News. ” Over half of these patients are in the United States, with Canada and Ecuador showing the following two highest numbers. “
The service in question – anyproxy. gross and 5socks. gross – have been disrupted as part of an effort codenamed Operation Moonlander. Lumen told The Hacker News that both the websites point to the” equal malware, selling under two different named service. “
Images on the Internet Archive display that 5socks. online advertised “more than 7,000 online proxies everyday” spanning several countries and says of the U. S. , enabling risk actors to anonymously take out a wide range of illegal action in exchange for a cryptocurrency payment.
Lumen said the affected products were infected with a malware called , which has also fueled another criminal proxy service referred to as . The organization has even taken the step of disrupting the system by zero routing all visitors to and from their recognized control points.
” The two companies were basically the same pool of intermediaries and C2s, and besides that malware, they were using a variety of exploits that were important against EoL tools,” Lumen told The Hacker News. ” But the proxy companies themselves are related [to Faceless]. “
It is suspected that the providers of the bot relied on known exploits to misconduct EoL products and wire them into the surrogate botnet. Recently added bots have been found to call a Turkey-based C2 system consisting of five servers, out of which four are designed to connect with the infected victims on port 80.
” One of these 5 servers uses UDP on interface 1443 to obtain target prospects, while not sending any in return,” the cybersecurity firm said. ” We suspect this site is used to store information from their patients. “
In an advisory issued by the FBI Thursday, the agency the threat actors behind the bots have exploited known security vulnerabilities in internet-exposed devices to install malware that offers frequent remote access.
The FBI also pointed out that the EoL routers have been compromised with a variant of TheMoon malware, permitting the threat actors to deploy proxy software on the devices and help carry cyber crimes privately. TheMoon was by the SANS Technology Institute in 2014 in attacks targeting Linksys routers.
” TheMoon does not require a password to infect routers; it scans for open ports and sends a command to a vulnerable script,” the FBI . ” The malware contacts the command-and-control ( C2 ) server and the C2 server responds with instructions, which may include instructing the infected machine to scan for other vulnerable routers to spread the infection and expand the network. “
When users purchase a proxy, they receive an IP and port combination for connection. Just like in the case of , the service lacks any additional authentication once activated, making it ripe for abuse. It has been found that 5socks. net has been used to conduct ad fraud, DDoS and brute-force attacks, and exploit victim’s data.
To mitigate the risks posed by such proxy botnets, users are advised to regularly reboot routers, install security updates, change default passwords, and upgrade to newer models once they reach EoL status.
” Proxy services have and will continue to present a direct threat to internet security as they allow malicious actors to hide behind unsuspecting residential IPs, complicating detection by network monitoring tools,” Lumen said.
” As a vast number of end-of-life devices remain in circulation, and the world continues to adopt devices in the’ Internet of Things,’ there will continue to be a massive pool of targets for malicious actors. “