Dutch police disrupts botnet composed of 17 million devices

The Dutch National Police and the country’s National Cyber Security Center (NCSC) have taken offline 200 servers controlling a botnet of 17 million devices, the law enforcement agency announced on Thursday.

The investigation was launched after the NCSC received a report by a security researcher, and showed that the botnet consisted of at least 17 million infected devices – computers, mobile phones, IoT devices, routers, etc. – and that the 200 servers used to host the infrastructure were phisically located in the Netherlands.

The cybercrime unit of the Hague police seized the botnet’s servers from the hosting provider, and the botnet was taken offline by the provider because it was used for criminal purposes, the Dutch police said.

Malicious use of residential proxy networks

The law enforcement agency did not name the botnet in question, but Dutch news outlet NL Times reported that it’s part of the infrastructure underpinning Asocks, a commercial residential and mobile proxy service.

The day before the announcement, NCSC NL published a lengthy post about residential proxies and their use for malicious purposes: DDoS attacks, spamming, credential stuffing and brute-force attacks, click fraud and SMS pumping, and malware distribution.

“Because residential proxies use real, trusted IP addresses, malicious use of them is much more difficult to detect or block. Many security systems and websites trust traffic from residential proxy IPs more than traffic from data centers or anonymous VPNs. After all, the residential proxies belong to regular citizens who may just as well be an employee or a customer,” the NCSC explained.

“Residential proxies are used to maintain anonymity and circumvent geographical restrictions. In this way, a Dutch organization can be attacked with Dutch proxies that have similarities with ‘regular’ traffic, which makes it difficult to mitigate cybercrime.”

They also pointed out that while some users deliberately and knowingly install proxy software (aka proxyware), some do it unknowingly (e.g., if they install free software that comes bundled with it), or their devices are compromised with malware that install a proxy function.

Over the years, researchers with HUMAN Security‘s Satori Threat Intelligence team flagged several proxy networks and two years ago they pinpointed a code library responsible for many devices being surreptitiously enrolled in a proxy network.

The library, called PROXYLIB, was added to a popular software development kit (SDK) called LumiApps, used by developers to monetize the use of their apps.

“When a user registers an account on lumiapps[.]io, the headers from the confirmation email contain the domain bproxy[.]one, which no longer has an accessible web page. However, when searching for this domain on archive[.]org, there was a non-stylized version of the Asocks website as recently as February 23, 2023. As a result, Satori researchers have high confidence that the two services are connected and potentially owned or operated by the same threat actor,” HUMAN Security said at the time.

The residential proxy market is rather opaque, and many of the providers don’t make sure that the proxies in their network are used for legal purposes, Sekoia.io and Orange Cyberdefense researchers previously warned.

A year ago, US and Dutch law enforcement disrupted 5socks and Anyproxy, two proxy-for-rent services that were marketed to and used by criminals. Earlier this year, law enforcement agencies from several European countries and the US similarly dismantled the malicious proxy service SocksEscort.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!