Full Report
A joint law enforcement operation undertaken by Dutch and U.S. authorities has dismantled a criminal proxy network that's powered by thousands of infected Internet of Things (IoT) and end-of-life (EoL) devices, enlisting them into a botnet for providing anonymity to malicious actors. In conjunction with the domain seizure, Russian nationals, Alexey Viktorovich Chertkov, 37, Kirill Vladimirovich
Analysis Summary
# Incident Report: Dismantling of Major Criminal Proxy Botnet (Operation Moonlander)
## Executive Summary
A joint international law enforcement operation, codenamed Operation Moonlander, successfully dismantled a long-running criminal proxy network powered by thousands of compromised IoT and End-of-Life (EoL) routers. The network, managed by indicted Russian and Kazakhstani nationals, generated over $46 million by selling anonymous proxy access to malicious actors conducting various cybercrimes. The disruption involved domain seizures and null-routing C2 infrastructure.
## Incident Details
- **Discovery Date:** Ongoing investigation culminating in law enforcement action (Specific date of initial threat identification not provided, but Black Lotus Labs data cites weekly activity).
- **Incident Date:** Service is believed to have been operational since **2004**. Law enforcement action occurred recently.
- **Affected Organization:** Not a single targeted organization; the incident involves the operation of a global criminal infrastructure targeting general IoT/router owners.
- **Sector:** Cybercrime Infrastructure/Service Provision.
- **Geography:** C2 infrastructure centralized in **Turkey**. Affected victim devices are heavily concentrated in the **United States** (over 50%), followed by Canada and Ecuador.
## Timeline of Events
### Initial Access
- **Date/Time:** Ongoing, starting as early as **2004**.
- **Vector:** Exploitation of known security vulnerabilities in Internet-exposed routers, particularly **End-of-Life (EoL) devices**.
- **Details:** Attackers relied on known exploits targeting publicly accessible ports to breach routers, often without requiring a password.
### Lateral Movement
- **Vector:** The newly implanted malware commanded infected routers to actively **scan for and infect other vulnerable routers** to expand the botnet network.
### Data Exfiltration/Impact
- **Impact:** The primary impact was the creation of a vast proxy network providing anonymity for cybercriminals. Known activities included **ad fraud, DDoS attacks, brute-force attacks, and data exploitation** of the victims.
### Detection & Response
- **Detection:** Investigation conducted by Lumen Technologies Black Lotus Labs, shared with U.S. and Dutch authorities.
- **Response Actions:** Domain seizures of `anyproxy.net` and `5socks.net`. Infrastructure disruption via **null routing all traffic to and from known C2 points**. Simultaneous indictments of four alleged administrators by the U.S. DoJ.
## Attack Methodology
- **Initial Access:** Exploiting known security flaws in Internet-exposed routers (particularly EoL models).
- **Persistence:** Installation of **TheMoon malware** variant on compromised devices.
- **Privilege Escalation:** Not explicitly detailed, but initial access relied on exploiting security flaws allowing remote code execution/malware installation.
- **Defense Evasion:** Use of EoL devices that likely lack patches, and establishing the C2 infrastructure outside the direct reach of immediate law enforcement takedown targets (Turkey).
- **Credential Access:** Not explicitly targeted; the goal was device control, not user account theft.
- **Discovery:** Infected bots likely performed internal and external network reconnaissance to identify further vulnerable targets for botnet expansion.
- **Lateral Movement:** Infected bots were instructed to **scan for and infect other vulnerable routers** (peer-to-peer infection propagation).
- **Collection:** The infected routers acted as proxies, collecting traffic/data passing through them for potential exploitation by paying subscribers.
- **Exfiltration:** Data exfiltration was conducted by the paying subscribers using the platform; the botnet itself facilitated anonymous routing rather than direct data exfiltration from the victim router owners.
- **Impact:** Provision of high-anonymity proxy services ($9.95 - $110/month) used to facilitate various cybercrimes globally.
## Impact Assessment
- **Financial:** Threat actors netted **over $46 million** from subscription fees. Financial estimation for victims is **undisclosed**.
- **Data Breach:** **Router configuration/control** was compromised. Victim network traffic and potentially sensitive data passing through the proxy were exposed to paying subscribers.
- **Operational:** Impact on the router owners was primarily unauthorized use of their bandwidth and IP addresses, along with maintaining unauthorized persistent access via malware.
- **Reputational:** Not publicly detailed for specific victims, but the incident highlights widespread insecurity in IoT/home networking environments.
## Indicators of Compromise
- **Network Indicators (Defanged):** C2 infrastructure was reported to be located in Turkey, utilizing five servers. Four servers communicated with victims on port 80 (TCP). One server used **UDP on port 1443** to receive victim traffic and store information.
- **File Indicators:** Compromised devices were infected with **TheMoon malware**.
- **Behavioral Indicators:** Infected devices exhibiting regular outbound communication to the known C2 infrastructure; functioning as an unauthenticated proxy service.
## Response Actions
- **Containment Measures:** Disruption of the C2 infrastructure by **null routing all traffic** to and from known control points.
- **Eradication Steps:** Law enforcement action involving **domain seizures** (`anyproxy.net` and `5socks.net`).
- **Recovery Actions:** Victims (device owners) are advised to reboot routers, install updates, change default passwords, and replace EoL devices.
## Lessons Learned
- **Key Takeaways:** Prolonged criminal operations ($46M revenue) can persist for nearly two decades by targeting easily exploitable, unpatched EoL devices, highlighting the persistent risk posed by insecure IoT.
- **What could have been done better:** Device manufacturers need to enforce timely end-of-life support and patching policies, as EoL devices remain a massive target pool.
## Recommendations
- **Prevention Measures for Similar Incidents:**
1. Regularly reboot routers to disrupt potential persistent malware sessions.
2. Immediately apply all available **security updates** provided by manufacturers.
3. Change all **default router login credentials** to strong unique passwords.
4. **Upgrade** routers once they reach End-of-Life status to ensure continued security support.