Man
Professional
- Messages
- 3,067
- Reaction score
- 597
- Points
- 113
More and more unsecured devices are opening new doors for attackers.
The Black Lotus Labs team at Lumen Technologies has revealed a new scheme for the ngioweb botnet, which is the basis of one of the largest criminal proxy services NSOCKS. This service uses about 35,000 bots daily in 180 countries, 60% of which are located in the United States.
The investigation revealed that about 80% of NSOCKS bots are associated with the ngioweb botnet, which attacks IoT devices and SOHO routers. Through this infrastructure, attackers obfuscate malicious traffic, engage in phishing, and organize DDoS attacks.
Lumen Technologies has been able to identify more than 180 command-and-control (C2) servers that are used to hide users' identities. Not only do these servers power NSOCKS, but they also allow various criminal groups like Shopsocks5 to exploit the botnet's infrastructure.
ngioweb's analysis showed that it uses many exploits for vulnerable devices, but does not use so-called "zero days". Instead, botnet operators actively exploit outdated firmware and software versions.
One of the main threats is that infected devices are often used by multiple criminal groups at the same time. Lumen Technologies has blocked all traffic associated with the ngioweb botnet on its network and published indicators of compromise (IoC) to help other companies in the fight against this botnet.
NSOCKS, in addition to standard proxy functions, allows attackers to set up filters for domains, including ".gov" and ".edu", which opens up opportunities for targeted attacks on government agencies and educational organizations. The botnet's architecture supports long-term bot activity: up to 40% of devices remain infected for more than a month.
To counter the threat, experts recommend regularly updating router firmware, avoiding standard passwords, and protecting management interfaces. Organizations should proactively block suspicious IP addresses and implement additional protections to prevent attacks.
The study confirmed that proxy botnets are becoming increasingly popular among cybercriminals, which requires active interaction and joint action from the cybersecurity industry.
Source
The Black Lotus Labs team at Lumen Technologies has revealed a new scheme for the ngioweb botnet, which is the basis of one of the largest criminal proxy services NSOCKS. This service uses about 35,000 bots daily in 180 countries, 60% of which are located in the United States.
The investigation revealed that about 80% of NSOCKS bots are associated with the ngioweb botnet, which attacks IoT devices and SOHO routers. Through this infrastructure, attackers obfuscate malicious traffic, engage in phishing, and organize DDoS attacks.
Lumen Technologies has been able to identify more than 180 command-and-control (C2) servers that are used to hide users' identities. Not only do these servers power NSOCKS, but they also allow various criminal groups like Shopsocks5 to exploit the botnet's infrastructure.
ngioweb's analysis showed that it uses many exploits for vulnerable devices, but does not use so-called "zero days". Instead, botnet operators actively exploit outdated firmware and software versions.
One of the main threats is that infected devices are often used by multiple criminal groups at the same time. Lumen Technologies has blocked all traffic associated with the ngioweb botnet on its network and published indicators of compromise (IoC) to help other companies in the fight against this botnet.
NSOCKS, in addition to standard proxy functions, allows attackers to set up filters for domains, including ".gov" and ".edu", which opens up opportunities for targeted attacks on government agencies and educational organizations. The botnet's architecture supports long-term bot activity: up to 40% of devices remain infected for more than a month.
To counter the threat, experts recommend regularly updating router firmware, avoiding standard passwords, and protecting management interfaces. Organizations should proactively block suspicious IP addresses and implement additional protections to prevent attacks.
The study confirmed that proxy botnets are becoming increasingly popular among cybercriminals, which requires active interaction and joint action from the cybersecurity industry.
Source
