The US Department of Justice (DOJ), in partnership with law enforcement agencies in several European countries, has demolished a major Russian botnet that had compromised millions of devices around the world. The botnet essentially functioned as a clandestine proxy service provider for criminals, allowing them to lease the IP addresses attached to their collection of hacked IoT devices, Android phones, and computers.
Russian botnet rented access to thousands of proxies for as little as $30 a day
RSOCKS is a Russian botnet that has been active since at least 2014, the first point at which its handlers began openly advertising it on underground forums in the country. Over the years, the botnet has amassed millions of devices in its collection, first focusing on compromising poorly protected Internet of Things (IoT) devices, but soon moving on to include Android phones/tablets and even computers. .
Illicit actors rented access to RSOCKS as a proxy service, primarily for the purpose of password guessing/brute force login campaigns, disguising traffic sources for phishing campaigns and Distributed Denial of Service (DDoS) attacks. . This was as simple as accessing a dark web store that allowed varying amounts of proxies to be rented per day, ranging in price from $30 for 2,000 to $200 for 90,000.
Tom Garrubba (Risk, Cyber and Privacy Executive, Shared Assessments) expands on the risk posed by these fake proxy services and why takedowns of the size of the Russian botnet are a huge cybersecurity win: lately. Botnets are so dangerous because they control large swaths of vulnerable computer systems on a scale unlike any other attack. Those groups of infected computers can target legitimate resources and wreak havoc. Botnets can perform highly damaging attacks such as distributed denial of service or exploit vulnerabilities on a large scale to sell to initial access brokers who will then lend that access to ransomware gangs.”
There are legitimate proxy services in the world, but they cut off customers for engaging in the kind of cybercriminal activity that RSOCKS customers were looking for. The takedown of the notorious Russian botnet has been a long time in the making, beginning in 2017 when members of the Federal Bureau of Investigation (FBI) began renting access to the clandestine proxy service to investigate its back-end infrastructure. end and identify the victims. The count at the time was about 325,000 devices worldwide; Since then, RSOCKS had doubled that number several times.
The Russian botnet reportedly grew exponentially to its enormous size, performing brute force login attempts against new victims by using the devices it had already collected. These attempts have most likely been fueled by the long lists of compromised usernames and passwords that have been downloaded onto the Internet in the wake of data breaches. Initially, the FBI approached several compromised companies in the San Diego area and asked for permission to replace the hacked devices with controlled cheats that could be monitored to uncover more information about the inner workings of the illicit proxy service.
Ban proxy service seized, mastermind potentially unmasked
The Justice Department worked with law enforcement in Germany, the Netherlands and the UK to seize infrastructure belonging to the Russian botnet operation, essentially putting it out of business.
KrebsOnSecurity en reporting which identified the owner of RSOCKS as Denis Kloster, a prominent spammer who has been linked to cybercrime firms dating back to 2005. In addition to spearheading the Russian botnet, Kloster also runs the world’s most widely used forum for professionals. forum for spammers and scammers, a site called RUSDot.
Kloster is also the former owner of Spamdot, which was the world’s leading spam and cybercrime forum until it broke up in 2010 after his exploits in organizing counterfeit pharmaceutical scams generated too much controversy. He is a native Russian and apparently a former resident of Omsk, but now claims to live abroad and travel internationally.
The takedown of the Russian botnet is part of what appears to be a small campaign by US authorities to target the most prominent of these illicit proxy services. It follows an April operation by the FBI to take down the Cyclops Blink botnet, which had been linked to Russian intelligence services. Cyclops Blink was thought to be the tool of the “Sandworm” advanced persistent threat group that was blamed for the 2017 NotPetya ransomware outbreak, as well as a variety of attacks on Ukraine’s critical infrastructure. That botnet was discovered in early 2022, but evidence indicates that it had been in operation since 2019. It spread primarily by attacking known vulnerabilities in WatchGuard Firebox firewall appliances and various ASUS routers.
The existence of this illicit proxy service, the length of time it was able to operate, and the enormous size to which it grew (around eight million devices worldwide before the takedown) serve as another example of the need for major and immediate improvements. . in IoT security. This is particularly important as more and more components of homes and businesses become “smart” and connect to the Internet. Problems with IoT devices range from failing to regularly patch them to developing security issues, to simply not implementing proper security to begin with.
Like Garrett Grajek, CEO of you attest, he notes, botnets of this nature have grown to such an extent that they now threaten to make up the majority of Internet traffic in the near future: “Botnets are a major international concern, and one of the main problems that face Internet availability and Internet access. security today: with Barracuda network research revealing that 39% of all traffic is malicious bots. These bots scan our machines, look for vulnerabilities, and then deploy to our systems and communicate with their designated C2s (hacker command and control centers). The business needs to be aware that this is happening and recognize that vulnerabilities and zero-day attacks will be discovered. Secure identity governance is needed as hackers will exploit compromised identities and increase privileges.”