Important Update: Dismantling of 7,000-Device IoT and EoL System Proxy Botnet in U.S. Executed by Dutch Authorities

A coordinated operation conducted by Dutch and U.S. law enforcement agencies has successfully dismantled a significant criminal proxy network comprised of thousands of compromised Internet of Things (IoT) and end-of-life (EoL) devices. This sophisticated botnet provided anonymity to malicious actors engaging in various illicit activities.

As part of this operation, four Russian nationals, Alexey Viktorovich Chertkov, Kirill Vladimirovich Morozov, Aleksandr Aleksandrovich Shishkin, and Dmitriy Rubtsov, a Kazakhstani national, were charged by the U.S. Department of Justice (DoJ) for their roles in operating and profiting from these proxy services. The DoJ revealed that users subscribed to these services for a monthly fee ranging from $9.95 to $110, accumulating over $46 million since its inception in 2004.

Investigations further revealed that the FBI had identified compromised business and residential routers in Oklahoma, which were unknowingly infected with malware. Lumen Technologies’ Black Lotus Labs reported a consistent average of 1,000 unique bots interacting with the command-and-control (C2) infrastructure, which is based in Turkey. Notably, over half of the compromised devices were located in the United States.

The affected services, notably anyproxy.net and 5socks.net, were part of Operation Moonlander, aimed at disrupting this proxy network. Both platforms were determined to direct traffic through the same botnet while being offered under different names. Internet Archive snapshots indicated that 5socks.net promoted access to more than 7,000 online proxies from various regions, facilitating anonymous operations in exchange for cryptocurrency payments.

Lumen disclosed that the malware responsible for the infections was identified as TheMoon, which has connections to another criminal proxy service known as Faceless. The disruption efforts involved null routing traffic to and from known control points within the botnet’s infrastructure. Lumen clarified that although both services utilized similar proxies and C2s, they operated independently.

It is believed that the operators of this botnet exploited known vulnerabilities to compromise EoL devices, adding them to their proxy network. Newly compromised devices have been traced back to a C2 infrastructure consisting of five servers in Turkey, with most configured to communicate over standard ports.

An FBI advisory emphasized that the threat actors behind these botnets are leveraging known vulnerabilities in internet-exposed routers to install persistent malware, allowing them to conduct their operations clandestinely. This malware variant enables the installation of proxy software, facilitating anonymous cybercrime activities. TheMoon malware, first recorded by the SANS Technology Institute in 2014, exploits vulnerable Linksys routers without requiring user intervention.

When subscriptions to the proxy service are purchased, users receive an IP and port combination for connection, similar to operations conducted by previously identified malicious networks. Lack of additional authentication makes these services particularly susceptible to exploitation, with confirmed instances of ad fraud, DDoS attacks, brute-force exploitation, and data theft traced back to 5socks.net.

To mitigate risks associated with proxy botnets, it is essential for users to regularly reboot routers, install security updates, change default settings, and replace outdated devices. The ongoing presence of proxy services poses a direct threat to internet security, as they enable malicious actors to conceal their identities behind legitimate residential IP addresses, complicating detection efforts by cybersecurity tools.

Given the significant number of EoL devices still in use and the increasing adoption of IoT technology globally, the potential for exploitation remains high, providing a persistent target for nefarious actors. As the cybersecurity landscape evolves, it is imperative to remain vigilant against such emerging threats.