International Law Enforcement Partnership Eliminates Russian Botnet; Rogue proxy service was selling hacked IP addresses


The United States Department of Justice (DOJ), in partnership with law enforcement agencies from several European countries, has disassembled a major Russian botnet that had compromised millions of devices worldwide. The botnet essentially functioned as an underground proxy service provider for criminals, allowing the rental of IP addresses attached to its collection of hacked IoT devices, Android phones and computers.

Russian botnet rented access to thousands of proxies for as little as $30 a day

RSOCKS is a Russian botnet that has been active since at least 2014, when its handlers first started advertising it openly on the country’s underground forums. Over the years, the botnet has amassed millions of devices in its collection, initially focusing on compromising poorly secured Internet of Things (IoT) devices, but quickly moving on to Android phones/tablets and even computers.

Illegal actors have leased access to RSOCKS as a proxy service, primarily for the purpose of brute force login/password guessing campaigns, masking traffic sources for phishing campaigns and denial of security attacks. distributed service (DDoS). It was as simple as accessing a dark web storefront that allowed rental of varying amounts of proxies per day, ranging in price from $30 for 2,000 to $200 for 90,000.

Tom Garrubba (Risk, Cyber, and Privacy Executive, Shared ratings) expands on the risk posed by these bogus proxy services, and explains why taking down those of the scale of the Russian botnet has been a major cybersecurity victory: for some time. Botnets are so dangerous because they control large swaths of vulnerable computer systems on an unprecedented scale. These pools of infected computers can then be directed to legitimate resources and wreak havoc. Botnets can perform highly disruptive attacks like distributed denial of service or exploiting large-scale vulnerabilities to sell initial access brokers who later lend that access to ransomware gangs.

There are legitimate proxy services out there, but they prevent customers from engaging in the kind of cybercriminal activities that RSOCKS customers have come for. The takedown of the notorious Russian botnet has been simmering for a long time and began in 2017 when members of the Federal Bureau of Investigation (FBI) began renting access to the underground proxy service to probe its core infrastructure and identify victims. The tally at the time was around 325,000 devices worldwide; RSOCKS had since doubled that number several times.

The Russian botnet reportedly grew to its massive size exponentially, performing brute force login attempts against new victims using the devices it had already collected. These attempts were most likely fueled by the long lists of compromised usernames and passwords that have been dumped on the internet as a result of data breaches. The FBI first approached several compromised companies in the San Diego area and asked for permission to replace the hacked devices with controlled honeypots that could be monitored to uncover more information about the inner workings of the proxy service. illicit.

Outlaw Proxy Service Seized, Mastermind Potentially Unmasked

The DOJ worked with law enforcement in Germany, the Netherlands and the UK to seize infrastructure belonging to the operation of the Russian botnet, essentially bankrupting it.

KrebsOnSecurity is reports that he identified the owner of RSOCKS as Denis Kloster, a prominent spammer who has been linked to cybercrime ventures dating back to 2005. As well as running the Russian botnet, Kloster also runs the world’s most widely used forum for professionals. forum for spammers and scammers, a site called RUSDot.

Kloster is also the former owner of Spamdot, which was the world’s leading spam and cybercrime forum until it disintegrated in 2010 after his exploits in organizing counterfeit pharmaceutical scams garnered too much heat. He is a native Russian and an apparent former resident of Omsk, but now claims to live abroad and travel abroad.

The takedown of the Russian botnet is part of what appears to be a small campaign by US authorities to target the most prominent of these illicit proxy services. This follows an April operation by the FBI to take down the Cyclops Blink botnet, which had been linked to Russian intelligence. Cyclops Blink was believed to be the tool of the advanced persistent threat group “Sandworm” which was credited with the NotPetya ransomware outbreak in 2017 as well as various attacks on Ukraine’s critical infrastructure. This botnet was discovered in early 2022, but evidence indicates that it has been in operation since 2019. It spread primarily by attacking known vulnerabilities in WatchGuard Firebox firewall appliances and a number of ASUS routers.

The existence of this illicit proxy service, the length of time it was able to operate, and the massive size it grew to (about eight million devices worldwide before the takedown) are all further illustrations of the need for immediate and major improvements. in IoT security. This is particularly important as more and more components of homes and businesses become “smart” and connected to the Internet. Problems with IoT devices range from failing to patch them regularly to developing security issues, to simply not having adequate security in place to begin with.

Illegal actors have rented access to RSOCKS as a proxy service for the purpose of password guessing, hiding traffic sources for #phishing campaigns and #DDoS attacks. #cybersecurity #respectdataClick to tweet

As Garret Grajek, CEO of You attest, notes that botnets of this nature have grown to such a size that they now threaten to constitute the majority of all Internet traffic in the near future: Security Today – with the Barracuda Network survey revealing that 39% of all traffic is malicious bots. These bots scan our machines, check for vulnerabilities, then deploy themselves to our systems and communicate with their designated C2s (hacker command and control centers). The company should be aware that this is happening and recognize that vulnerabilities and zero-day hacks WILL BE discovered. Secure identity governance is necessary because hackers will exploit compromised identities and elevate privileges.


Comments are closed.