Law enforcement takes down proxy botnets used by criminals
US and Dutch law enforcement, with the help of Lumen researchers, have disrupted 5socks and Anyproxy, two proxy-for-rent services that were used by criminals for ad fraud and DDoS and brute-force attacks (among other things).
The domain seizure notice
The US Department of Justice has also unsealed an indictment against tree Russian and one Kazakhstani national, who allegedly maintained, operated, and profited from the two services.
“The 5socks.net website advertised more than 7,000 proxies for sale worldwide, including in the United States. Users paid a monthly subscription fee, ranging from $9.95 to $110 per month. The website’s slogan, ‘Working since 2004!’, indicates that the service has been available for more than 20 years,” US DoJ says.
“The defendants are believed to have amassed more than $46 million from selling access to the infected routers that were part of the Anyproxy botnet.”
Disruption
Last Wednesday, FBI’s Internet Crime Complaint Center (IC3) published a public service announcement warning about cyber criminal proxy services exploiting end-of-life routers, which no longer receive software updates or security patches.
The devices have been compromised with TheMoon malware, which is able to scan for other vulnerable routers to spread the infection and expand the network. It also allows the operators of the botnet to install proxy software (” proxyware”) on them.
“The malware communicates with a command and control (C2) server through a two-way handshake between the server and the router that does regular check-ins with the devices and also opens ports to make them available to users as proxy servers,” IC3 explained.
Researchers with Lumen’s Black Lotus Labs helped law enforcement track the two criminal proxy networks as part of “Operation Moonlander” and disrupt them when the time was right by null routing all traffic to and from their C2 servers.
The proxy networks’ website domains were managed by a company headquartered in Virginia, and hosted on computer servers worldwide. The C2 servers were located in Turkey (Türkiye).
The infected, compromised older-model wireless internet routers are located around the world, but predominantly in the US, Canada, and Latin America.
“By targeting IOT and SOHO devices in the residential IP space, cybercriminals create a veil of legitimacy for their traffic that complicates tracking and mitigation efforts,” the researchers noted.
“Black Lotus Labs can see a wide variety of infected IoT device types, indicating this botnet is likely using several exploits to obtain new victims, though we do not assess the operators are using zero or one-day vulnerabilities at this time. Instead, we believe they rely on exploits that have been around for years, corresponding with their focus on unpatched or EoL devices.”
Advice for users and defenders
The four foreign nationals may have been indicted, but the DoJ makes no mention of them having been arrested. They have been charged with Conspiracy and Damage to Protected Computers, and two of them also with False Registration of a Domain Name. The two domains have been seized by US DoJ.
Lumen researchers have not released details on the malware used by the crooks, “as the devices abused by the proxy service are easy to exploit and can be targeted again by others.”
The FBI has advised users of end-of-life devices to replace them with newer models or, if that’s not possible, to log in to their devices’ settings, disable remote administration/management of the devices and to reboot them.
Rebooting routers regularly is a good idea, as many malware aimed at them does not have mechanisms to persist after a reboot.
Corporate network defenders should keep updating and blocking IP addresses belonging to known open proxies and residential proxy networks.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!