Full Report
Law enforcement authorities have dismantled a botnet that infected thousands of routers over the last 20 years to build two networks of residential proxies known as Anyproxy and 5socks. [...]
Analysis Summary
# Incident Report: Dismantling of Anyproxy Residential Proxy Botnet
## Executive Summary
Law enforcement agencies dismantled a large botnet, utilizing compromised, end-of-life (EoL) consumer routers as residential proxies sold for cybercrime. The operation resulted in charges against four individuals for conspiracy and computer damage, effectively disrupting a significant infrastructure used to facilitate attacks like cryptocurrency theft and cybercrime-for-hire campaigns through proxy services.
## Incident Details
- Discovery Date: Wednesday (FBI Flash Advisory issued)
- Incident Date: Ongoing campaign preceding the law enforcement action.
- Affected Organization: Not explicitly named, but affects owners of compromised routers globally.
- Sector: Hosting/Infrastructure, Cybercrime (as service provider).
- Geography: Operators used servers registered in Russia (JCS Fedora Communications), Netherlands, and Türkiye. Victims are router owners globally.
## Timeline of Events
### Initial Access
- Date/Time: Preceding law enforcement action/discovery.
- Vector: Exploitation of **end-of-life (EoL) routers** with **remote administration enabled**.
- Details: Attackers installed a variant of the **TheMoon malware** on vulnerable devices (including Linksys, Cisco, and Cradlepoint models).
### Lateral Movement
* Not explicitly detailed for this botnet operation, as the primary goal was establishing persistent C2/proxy access on the compromised endpoint (the router itself).
### Data Exfiltration/Impact
- **Impact:** Provision of anonymous residential proxy services to cybercriminals. These proxies were used to evade detection during cybercrime-for-hire activities and cryptocurrency theft attacks.
- **Data Stolen:** Not applicable in the traditional sense; the primary asset compromised was the router's IP address/bandwidth for proxying traffic.
### Detection & Response
- **How it was discovered:** Federal law enforcement identified the infrastructure supporting the botnet and the associated proxy sale websites (Anyproxy.net and 5socks.net).
- **Response actions taken:** FBI issued a flash advisory/PSA warning about targeted EoL routers. Multiple arrests/indictments were made, and C2 servers were seized. The associated websites were disabled, showing seizure banners.
## Attack Methodology
- **Initial Access:** Exploiting easily accessible routers (often EoL models) with remote administration enabled.
- **Persistence:** Installation of TheMoon malware variant establishing long-term control over the router's network capabilities.
- **Privilege Escalation:** Likely leveraging default or known configurations/vulnerabilities in the EoL router firmware allowing malware installation.
- **Defense Evasion:** Utilizing **residential IP addresses** provided by the compromised routers, which are perceived as more legitimate than typical commercial VPN/proxy IPs, allowing other cybercriminals to hide their activities.
- **Credential Access:** Not the primary focus; the attack focused on network hijacking for proxying.
- **Discovery:** Unknown, likely scanning the internet for exposed administrative interfaces on EoL models.
- **Lateral Movement:** Not applicable; the infection focused on weaponizing the router endpoints.
- **Collection:** Not applicable; the goal was to route traffic, not necessarily harvest data from the router owners.
- **Exfiltration:** Not applicable; the output was the sale of network access (proxy usage).
- **Impact:** Facilitation of further criminal activities (e.g., crypto theft, cybercrime-for-hire) by providing anonymity to the end-user of the proxy service.
## Impact Assessment
- **Financial:** Operators profited financially from selling access to the compromised router IPs. Undetermined cost to victims whose routers were misused.
- **Data Breach:** No direct large-scale data breach of organizational records mentioned, but private residential IPs were leveraged for illegal activity.
- **Operational:** Disruption of the criminal operation itself following the law enforcement action.
- **Reputational:** Potential reputational risk for owners of compromised routers, though the complexity of the laundering masks direct victim identification.
## Indicators of Compromise
*This section contains defanged indicators based on the malware and infrastructure mentioned.*
- **Network indicators:** Hostnames associated with management infrastructure (e.g., *anyproxy.net*, *5socks.net*). Infrastructure utilized known servers hosted at *JCS Fedora Communications* (Russia) and others in the Netherlands and Türkiye.
- **File indicators:** **TheMoon malware** variant.
- **Behavioral indicators:** Routers exhibiting unexpected redirection or proxying behavior, particularly Linksys E1200, E2500, E1000, E4200, E1500, and various WRT models.
## Response Actions
- **Containment measures:** Coordination between international law enforcement agencies to target and take down C2 servers used to manage the botnet.
- **Eradication steps:** Seizure of servers hosting the proxy management websites. Indictments against four defendants.
- **Recovery actions:** Issuance of public advisories urging users to patch or retire EoL routers.
## Lessons Learned
- **Key takeaways:** End-of-life (EoL) networking devices that retain remote administration features are a significant and persistent threat vector, providing valuable, low-suspicion infrastructure for cybercriminals.
- **What could have been done better:** Manufacturers should enforce the disabling of remote administrative access on EoL devices or mandate firmware updates/EOL notices more aggressively.
## Recommendations
- **Prevention measures for similar incidents:**
1. Immediately retire routers identified in the advisory (Linksys E1200/E2500/E1000, etc.).
2. Disable remote administration features on all local network equipment unless strictly necessary for operation.
3. Ensure all network devices run supported firmware to prevent exploitation by known malware like TheMoon.
4. Implement regular internal vulnerability scanning focused on identifying vulnerable IoT and perimeter devices.