How are extensive malicious networks for tens of thousands of IoT devices created?
Trend Micro has identified a new cyber threat campaign in which the Water Barghest group turns thousands of vulnerable IoT devices into proxy networks within minutes of being compromised. Since 2020, attackers have infected more than 20,000 devices, using automated tools to quickly scale their actions.
As Trend Micro clarifies, the process from the initial infection to the placement of a compromised device on a proxy marketplace takes less than 10 minutes. These proxies offer other cybercriminals and groups, including government ones, anonymization with geographically plausible IP addresses for attacks and access to stolen data.
The Water Barghest campaign was discovered after the dismantling of the infrastructure of the Pawn Storm botnet, also known as APT28, by the US FBI in January. As part of their investigation, Trend Micro analyzed the hijacked EdgeRouter devices, which revealed the Ngioweb botnet used by Water Barghest.
Ngioweb was first spotted in 2017, while the current campaign uses an updated version of the malware targeting EdgeRouter, Cisco, DrayTek, Fritz! Box and Linksys, mainly in the United States. Hacking begins with finding vulnerabilities through databases such as Shodan and then exploiting the vulnerabilities found.
The malware runs in the RAM of the devices, which makes it impermanent - rebooting the gadget eliminates the infection. Once installed, the program connects to the management servers to test the connection, and then the device is automatically added to the aforementioned proxy marketplace.
Despite law enforcement actions against networks such as VPNFilter and Cyclops Blink, Trend Micro warns that IoT devices that can be connected from the internet are still vulnerable. The high demand for proxy services among cyber groups suggests the continuation of such attacks.
Trend Micro recommends minimizing the exposure of IoT devices to the internet and implementing additional security measures to prevent them from being used in such campaigns.
Source
Trend Micro has identified a new cyber threat campaign in which the Water Barghest group turns thousands of vulnerable IoT devices into proxy networks within minutes of being compromised. Since 2020, attackers have infected more than 20,000 devices, using automated tools to quickly scale their actions.
As Trend Micro clarifies, the process from the initial infection to the placement of a compromised device on a proxy marketplace takes less than 10 minutes. These proxies offer other cybercriminals and groups, including government ones, anonymization with geographically plausible IP addresses for attacks and access to stolen data.
The Water Barghest campaign was discovered after the dismantling of the infrastructure of the Pawn Storm botnet, also known as APT28, by the US FBI in January. As part of their investigation, Trend Micro analyzed the hijacked EdgeRouter devices, which revealed the Ngioweb botnet used by Water Barghest.
Ngioweb was first spotted in 2017, while the current campaign uses an updated version of the malware targeting EdgeRouter, Cisco, DrayTek, Fritz! Box and Linksys, mainly in the United States. Hacking begins with finding vulnerabilities through databases such as Shodan and then exploiting the vulnerabilities found.
The malware runs in the RAM of the devices, which makes it impermanent - rebooting the gadget eliminates the infection. Once installed, the program connects to the management servers to test the connection, and then the device is automatically added to the aforementioned proxy marketplace.
Despite law enforcement actions against networks such as VPNFilter and Cyclops Blink, Trend Micro warns that IoT devices that can be connected from the internet are still vulnerable. The high demand for proxy services among cyber groups suggests the continuation of such attacks.
Trend Micro recommends minimizing the exposure of IoT devices to the internet and implementing additional security measures to prevent them from being used in such campaigns.
Source
