Police Dismantles Botnet Selling Hacked Routers As Residential Proxies (bleepingcomputer.com) 16
An anonymous reader quotes a report from BleepingComputer: Law enforcement authorities have dismantled a botnet that infected thousands of routers over the last 20 years to build two networks of residential proxies known as Anyproxy and 5socks. The U.S. Justice Department also indicted three Russian nationals (Alexey Viktorovich Chertkov, Kirill Vladimirovich Morozov, and Aleksandr Aleksandrovich Shishkin) and a Kazakhstani (Dmitriy Rubtsov) for their involvement in operating, maintaining, and profiting from these two illegal services.
During this joint action dubbed 'Operation Moonlander,' U.S. authorities worked with prosecutors and investigators from the Dutch National Police, the Netherlands Public Prosecution Service (Openbaar Ministerie), and the Royal Thai Police, as well as analysts with Lumen Technologies' Black Lotus Labs. Court documents show that the now-dismantled botnet infected older wireless internet routers worldwide with malware since at least 2004, allowing unauthorized access to compromised devices to be sold as proxy servers on Anyproxy.net and 5socks.net. The two domains were managed by a Virginia-based company and hosted on servers globally.
On Wednesday, the FBI also issued a flash advisory (PDF) and a public service announcement warning that this botnet was targeting patch end-of-life (EoL) routers with a variant of the TheMoon malware. The FBI warned that the attackers are installing proxies later used to evade detection during cybercrime-for-hire activities, cryptocurrency theft attacks, and other illegal operations. The list of devices commonly targeted by the botnet includes Linksys and Cisco router models, including:
- Linksys E1200, E2500, E1000, E4200, E1500, E300, E3200, E1550
- Linksys WRT320N, WRT310N, WRT610N
- Cisco M10 and Cradlepoint E100 "The botnet controllers require cryptocurrency for payment. Users are allowed to connect directly with proxies using no authentication, which, as documented in previous cases, can lead to a broad spectrum of malicious actors gaining free access," Black Lotus Labs said. "Given the source range, only around 10% are detected as malicious in popular tools such as VirusTotal, meaning they consistently avoid network monitoring tools with a high degree of success. Proxies such as this are designed to help conceal a range of illicit pursuits including ad fraud, DDoS attacks, brute forcing, or exploiting victim's data."
During this joint action dubbed 'Operation Moonlander,' U.S. authorities worked with prosecutors and investigators from the Dutch National Police, the Netherlands Public Prosecution Service (Openbaar Ministerie), and the Royal Thai Police, as well as analysts with Lumen Technologies' Black Lotus Labs. Court documents show that the now-dismantled botnet infected older wireless internet routers worldwide with malware since at least 2004, allowing unauthorized access to compromised devices to be sold as proxy servers on Anyproxy.net and 5socks.net. The two domains were managed by a Virginia-based company and hosted on servers globally.
On Wednesday, the FBI also issued a flash advisory (PDF) and a public service announcement warning that this botnet was targeting patch end-of-life (EoL) routers with a variant of the TheMoon malware. The FBI warned that the attackers are installing proxies later used to evade detection during cybercrime-for-hire activities, cryptocurrency theft attacks, and other illegal operations. The list of devices commonly targeted by the botnet includes Linksys and Cisco router models, including:
- Linksys E1200, E2500, E1000, E4200, E1500, E300, E3200, E1550
- Linksys WRT320N, WRT310N, WRT610N
- Cisco M10 and Cradlepoint E100 "The botnet controllers require cryptocurrency for payment. Users are allowed to connect directly with proxies using no authentication, which, as documented in previous cases, can lead to a broad spectrum of malicious actors gaining free access," Black Lotus Labs said. "Given the source range, only around 10% are detected as malicious in popular tools such as VirusTotal, meaning they consistently avoid network monitoring tools with a high degree of success. Proxies such as this are designed to help conceal a range of illicit pursuits including ad fraud, DDoS attacks, brute forcing, or exploiting victim's data."
Yet again the standard flaw of Internet Of Things (Score:5, Insightful)
People aren't going to stop using something just because the company marked it EOL and stopped patching. They're only going to upgrade when they want a performance boost, or when the old device breaks.
This is especially true the more people wind up living paycheck-to-paycheck, and for the people who weren't highly conversant in the technology to begin with. Note how having remote admin turned on with a "listed in the manual" default username/password is a terrible security practice, but it's still incredibly common today. Many users probably plug the damn router in and don't even bother going through a setup, and they even leave the wi-fi ident string default and the password set to the mac address listed on the sticker on the underside...
Re: (Score:2)
which means the hardware needs to be general purpose again. Why can't I run and up-to-date cisco firmware on a linksys router? Why can't I install Android on an unsupported iPhone? Even for devices that are more open, like many Android phones, you still don't have the option to use other software. Yeah, try getting iOS on your Android phone. You often won't even get newer android to run as the closed source hardware drivers do not support the kernel used by the newer version.
You can't force vendors to patch
I kind of wonder... (Score:2)
Given how apathetic the average service industry worker is in america, how practically every big store has wifi, and big stores have lots of outlets, I am constantly shocked that bad actors aren't plugging cheap little pi 0w2's in official looking wall warts into big box stores everywhere, setting them up with C&C servers, and using that as cheap, damn hard to trace, bastion boxes.
Re: I kind of wonder... (Score:2)
Re: (Score:2)
Because they would cost more than infecting vulnerable IoT devices.
Operation Moonlander (Score:2)
"Invincible!"
Until BOTRAkER came along.
Re: (Score:2)
I don't think the word means what you think it means.
Why does this take 20 years? (Score:2)
At that rate they could also simply wait until the bot-net operators die of old age...
Obviously, this stuff is still not taken seriously at all.
The botnet is still there (Score:4, Interesting)
why (Score:3)
Why is Russia even physically connected to the outside world?
Re: why (Score:2)
I remember in one case I found it to be some dude from Atlanta, who was doing this for âoehookers, coke and boozeâ (paraphrased).
IP bans are completley ineffective (Score:2)
May have purchased one of these devices (Score:2)
When it arrived the router was behaving really weird and was loaded with a very old fw. Also the 2.4G network didn't work at all, apart from other oddities.
It has since worked great, once I reset the NVRAM, flashed to OpenWRT and then back.
At the time, I had assumed it was just buggy old fw, but I wonder if it wasn't just that
Re: (Score:2)
You flashed it to OpenWRT and then back to factory? You were so close.
I never buy any router which I cannot load with OpenWRT, and then I keep it that way. Somewhere along the line it just got to be so super easy to set them up (all it took was their adoption of some sensible defaults) that there's no longer any benefit to manufacturer firmware. I have a Linksys router (not one of the named devices) and I bought it specifically because it was advertised to work with OpenWRT (and also had been shown to do so
Re: (Score:2)
Thousands of infected routers :o (Score:2)
How did these thousands of routers get infected in the first place?