A cybercriminal group known as “Water Barghest” has been targeting Internet of Things (IoT) devices and then selling them on a residential proxy marketplace, where they can be used by state-sponsored advance persistent threats (APTs) and other malicious actors to create proxy botnets. According to research from Trend Micro, the group has already compromised over 20,000 IoT devices, including small office and home office (SOHO) routers used by businesses.

The cybercriminals behind Water Barghest have been operating for more than five years, largely under the radar due to their sophisticated automation strategy. They use automated scripts to identify and compromise vulnerable IoT devices, which they find from public Internet-scanning databases like Shodan. Once they compromise a device, they deploy proprietary malware called Ngioweb to register the device as a proxy and then list it for sale on a residential proxy marketplace.

The entire process of enslaving a target takes as little as 10 minutes, highlighting the high efficiency and automation of Water Barghest’s operation. The group’s activities allow them to profit from selling compromised IoT devices to other threat actors who can then use them for malicious purposes.

Selling compromised devices as proxy botnets is a lucrative business model for cybercriminals, as it provides both espionage-motivated and financially motivated actors with a way to hide the origin of their malicious activities. Proxy botnets can be used to scrape website content, access stolen online assets, and launch cyberattacks. For example, Russia’s Sandworm group recently used the VPNFilter botnet in activities against Ukraine before being disrupted by law enforcement.

Threat actors like Water Barghest exploit IoT devices that accept incoming connections on the open Internet, making it easy to compromise devices with known vulnerabilities or zero-days. The cybercriminal group automates each step of their operation, from finding vulnerable devices to listing them for sale on a Dark Web marketplace. They have multiple identities on virtual private servers to continuously scan for vulnerabilities and upload malware to compromised devices.

To protect against the growing threat of proxy botnets, organizations need to address the security of IoT devices, which are notoriously hackable. Limiting the exposure of these devices to incoming connections from the open Internet when not business-essential can help mitigate the risk of them being used in malicious activities. While law enforcement has been effective in disrupting proxy botnets, addressing the security of IoT devices at the source is essential.

Source link