BREAKING: 7,000-Device Proxy Botnet Using IoT, EoL Systems Dismantled in U.S.

Summary: U.S. and Dutch authorities have successfully dismantled a criminal proxy network leveraging IoT and end-of-life devices, revealing the intricate workings of a lucrative botnet. Following the arrest of key operators and the seizure of domains, this operation underscores the cybersecurity risks associated with compromised IoT technology. Discover how this affects internet security and what safeguards users should implement.

The Dismantling of a Major Cybercrime Network

A joint law enforcement operation by Dutch and U.S. authorities has successfully dismantled a malicious proxy network driven by thousands of infected Internet of Things (IoT) and end-of-life (EoL) devices. This operation reveals how cybercriminals exploit vulnerabilities to create a robust botnet that offers anonymity to malicious actors.

Key Arrests and Financial Implications

As part of this crackdown, several Russian nationals, including Alexey Viktorovich Chertkov, Kirill Vladimirovich Morozov, and others, have been charged by the U.S. Department of Justice (DoJ) for operating and profiting from these proxy services. Their operations reportedly earned over $46 million through subscriptions ranging from $9.95 to $110 monthly, in a service available since 2004.

The FBI uncovered numerous hacked business and residential routers across Oklahoma, which were unknowingly compromised to operate malware.

Detection and Analysis of the Botnet

The Lumen Technologies Black Lotus Labs reported that the botnet averaged 1,000 unique bots interacting with command-and-control (C2) infrastructure located in Turkey, with over half of the compromised devices based in the United States. These statistics emphasize the scale of the issue and the geographical distribution of affected users.

Operation Moonlander

Two specific services—anyproxy.net and 5socks.net—were disrupted in a coordinated effort dubbed Operation Moonlander. Both platforms are believed to belong to the same botnet, which was responsible for selling access under multiple service names.

Exploitation of Vulnerable Devices

The compromised IoT devices were infected with a malware variant known as TheMoon. This malware facilitates remote access and enables the installation of proxy software, empowering cybercriminals to engage in illicit activities anonymously.

According to Lumen, TheMoon malware exploits EoL devices using various vulnerabilities, allowing for easy infiltration and recruitment into the botnet. A network of servers based in Turkey communicates with the infected devices, probing them for further vulnerabilities.

Cybersecurity Recommendations

In an advisory, the FBI highlighted the importance of securing routers and other internet-exposed devices, particularly EoL models. It is crucial for users to implement the following cybersecurity measures:

• Regularly reboot and secure routers by setting strong, unique passwords.
• Keep firmware updated to patch known vulnerabilities.
• Consider replacing EoL devices with modern alternatives that receive security updates.

Understanding the Impact of Proxy Networks

Proxy services significantly threaten internet security, enabling malicious activities while hiding behind residential IPs. As the number of EoL devices continues to grow alongside the proliferation of IoT, the landscape remains ripe for exploitation by cybercriminals.