Full Report
Executive Summary Along with the Department of Justice and the Dutch National Police, Lumen’s Black Lotus Labs team has tracked a criminal proxy network for over a year as it infected thousands of IOT and end-of-life (EoL) devices, powering a […] The post Classic Rock: Hunting a Botnet that preys on the Old appeared first on Lumen Blog.
Analysis Summary
# Threat Actor: Criminal Proxy Network (Unnamed, Associated with previous 'NSOCKS' and 'Faceless' services)
## Attribution & Identity
The actors operate a criminal proxy network facilitating anonymity for malicious actors. Attribution is suggested through a partnership between Lumen's Black Lotus Labs, the Department of Justice, the FBI, and the Dutch National Police, which dismantled the network. The network has claimed operation since 2004. The operators require cryptocurrency for payment.
## Activity Summary
Lumen tracked this criminal proxy network for over a year, observing it infect thousands of IoT and End-of-Life (EoL) devices to power a botnet. The service offers proxies used to conceal a range of illicit pursuits. The administrators of the defunct C2 infrastructure were identified as being Russian and Kazakhstani. The service aims to blend traffic into residential IP spaces to facilitate criminal activity.
## Tactics, Techniques & Procedures
- **Infection Vector:** Targeting IOT and SOHO devices, specifically those that are EoL and unpatchable.
- **Exploitation:** Likely relies on exploits that have been available for years, abusing equipment past its vendor support lifecycle. (Specific malware details were withheld to prevent re-exploitation).
- **Stealth/Evasion:** The use of residential IP space complicates tracking and mitigation. Only about 10% of the proxies are detected as malicious by tools like VirusTotal, showing a high degree of success in avoiding network monitoring.
- **Operation:** Users can connect directly to proxies with no authentication (open proxies).
- **Command and Control (C2):** C2 infrastructure was located in Turkey (Türkiye).
## Targeting
- **Sectors:** Facilitates attacks across various sectors for illicit pursuits (ad fraud, DDoS, brute forcing). The ultimate victims of the end-user attacks are not specified, but the service targets U.S.-based organizations and organizations globally.
- **Geography:** Highest number of infected devices located in the United States (over half), followed by Ecuador and Canada. Active C2 infrastructure observed in Turkey (Türkiye).
- **Victims:** Undocumented IOT and SOHO devices, often residential, with owners unaware of their infection.
## Tools & Infrastructure
- **Malware Families used:** Details on the malware were intentionally withheld by the researchers.
- **Infrastructure (C2, domains, IPs):**
- C2 infrastructure located in Turkey (Türkiye).
- The operators claimed a daily population of over 7,000 proxies, though Black Lotus Labs telemetry indicated an average of 1,000 weekly active proxies across over 80 countries.
## Implications
This proxy network demonstrates the persistent danger posed by long-running, low-profile criminal operations that rely on abusing insecure, EoL equipment. The ability to consistently blend malicious traffic with residential IPs severely frustrates network defenders attempting to use geo-blocking or ASN-based blocking. The service successfully provided a highly effective veil of legitimacy for its users' illicit activities.
## Mitigations
- **Corporate Network Defenders:**
- Continuously monitor for attacks originating from residential IP addresses (e.g., suspicious logins, brute force attempts).
- Implement Web Application Firewalls to block known IoCs attempting password spraying or brute force attacks against cloud assets.
- Block known open proxy IP addresses or leverage sophisticated perimeter countermeasures.
- **Consumers with SOHO routers:**
- Regularly reboot routers.
- Ensure routers are not EoL; install security updates and patches promptly.
- For managed SOHO environments, ensure devices do not use default passwords and secure management interfaces (not accessible via the internet).
- Replace devices once they reach manufacturer End-of-Life.