Tag: Proxy | SpinSafe

TheMoon Botnet Resurfaces, Exploiting EoL Devices to Power Criminal Proxy

April 6, 2024/in Internet Security

Mar 29, 2024NewsroomNetwork Security / IoT Security

A botnet previously considered to be rendered inert has been observed enslaving end-of-life (EoL) small home/small office (SOHO) routers and IoT devices to fuel a criminal proxy service called Faceless.

“TheMoon, which emerged in 2014, has been operating quietly while growing to over 40,000 bots from 88 countries in January and February of 2024,” the Black Lotus Labs team at Lumen Technologies said.

Faceless, detailed by security journalist Brian Krebs in April 2023, is a malicious residential proxy service that’s offered its anonymity services to other threat actors for a negligible fee that costs less than a dollar per day.

In doing so, it allows the customers to route their malicious traffic through tens of thousands of compromised systems advertised on the service, effectively concealing their true origins.

The Faceless-backed infrastructure has been assessed to be used by operators of malware such as SolarMarker and IcedID to connect to their command-and-control (C2) servers to obfuscate their IP addresses.

That being said, a majority of the bots are used for password spraying and/or data exfiltration, primarily targeting the financial sector, with more than 80% of the infected hosts located in the U.S.

Lumen said it first observed the malicious activity in late 2023, the goal being to breach EoL SOHO routers and IoT devices and deploy an updated version of TheMoon, and ultimately enroll the botnet into Faceless.

The attacks entail dropping a loader that’s responsible for fetching an ELF executable from a C2 server. This includes a worm module that spreads itself to other vulnerable servers and another file called “.sox” that’s used to proxy traffic from the bot to the internet on behalf of a user.

In addition, the malware configures iptables rules to drop incoming TCP traffic on ports 8080 and 80 and allow traffic from three different IP ranges. It also attempts to contact an NTP server from a list of legitimate NTP servers in a likely effort to determine if the infected device has internet connectivity and it is not being run in a sandbox.

The targeting of EoL appliances to fabricate the botnet is no…

Source…

Thousands of Asus routers taken over by malware to form new proxy service

March 28, 2024/in Internet Security

Thousands of old, outdated Asus routers are being targeted by a new version of “TheMoon” malware botnet, turning them into a network of devices used by a criminal residential proxy service.

Researchers from Black Lotus Labs claim the campaign started in early March 2024 and within 72 hours, compromised roughly 6,000 Asus routers.

These routers are older and past their end-of-life date, prompting the researchers to speculate that the hackers were most likely abusing a known vulnerability to deploy the malware.

Becoming Faceless

While Asus routers do make up the majority of the infected devices, they’re not the only ones. Black Lotus says that roughly 7,000 new endpoints are being added to the botnet every week. They are located all over the world, so no specific geography seems to be preferred. Other methods of breaching the devices include brute-force attacks and credential stuffing.

Once the devices are infected, they become part of the Faceless proxy service, a known dark web tool that hackers use to hide their online activities, BleepingComputer explained. Among the groups using Faceless are IcedID and SolarMarker.

“Through Lumen’s global network visibility, Black Lotus Labs has identified the logical map of the Faceless proxy service, including a campaign that began in the first week of March 2024 that targeted over 6,000 ASUS routers in less than 72 hours,” Black Lotus explained.

Threat actors interested in Faceless’ services can only pay with cryptocurrencies, and do not require to verify their identities. What’s more, they keep their infrastructure a secret by having each device communicate with just one server, for as long as it’s infected. A third of infections last more than 50 days, while roughly 15% get eliminated within two days.

The best way to defend against these threats is to make sure your routers are always updated and that they have a strong password.

More from TechRadar Pro

Source…

US Dismantles IPStorm Botnet Proxy Service

November 15, 2023/in Internet Security

The US authorities have shut down a major botnet comprising tens of thousands of infected endpoints, which cyber-criminals hired to launch various attacks anonymously.

The IPStorm botnet and its infrastructure were dismantled earlier this year, according to the Department of Justice (DoJ).

Its alleged administrator, Russian and Moldovan national Sergei Makinin, pleaded guilty back in September to three counts of fraud and related activity in connection with computers. Each count carries a maximum sentence of 10 years.

The botnet operated from June 2019 to December 2022, turning compromised Windows, Linux, Mac and Android devices from around the world into proxies. These could then be rented out by cyber-criminals through two of Makinin’s websites: proxx.io and proxx.net.

The proxies enabled threat actors to bypass security filters and anonymize their traffic as they launched various cyber-attacks on victims. According to the DoJ, a single customer could pay hundreds of dollars a month to route their traffic through the botnet.

Makinin is said to have run around 23,000 such proxies as part of the botnet and admitted making at least $550,000 from the scheme.

“It is no secret that in present times, much criminal activity is conducted or enabled through cybernetic means. Cyber-criminals seek to remain anonymous and derive a sense of security because they hide behind keyboards, often thousands of miles away from their victims,” said Joseph González, special agent in charge of the FBI’s San Juan Field Office.

“The FBI’s cyber mission has been to impose risk and consequences on our adversaries, ensuring cyberspace is no safe space for criminal activity. This case is one example of how we are doing just that.”

The FBI urged device owners to keep up to date with the latest security and software patches to mitigate the risk of their machines becoming compromised and conscripted into such a botnet.

Source…

Breach Exposes Users of Microleaves Proxy Service – Krebs on Security

August 2, 2022/in Internet Security

Microleaves, a ten-year-old proxy service that lets customers route their web traffic through millions of Microsoft Windows computers, recently fixed a vulnerability in their website that exposed their entire user database. Microleaves claims its proxy software is installed with user consent, but data exposed in the breach shows the service has a lengthy history of being supplied with new proxies by affiliates incentivized to distribute the software any which way they can — such as by secretly bundling it with other titles.

The Microleaves proxy service, which is in the process of being rebranded to Shifter[.[io.

Launched in 2013, Microleaves is a service that allows customers to route their Internet traffic through PCs in virtually any country or city around the globe. Microleaves works by changing each customer’s Internet Protocol (IP) address every five to ten minutes.

The service, which accepts PayPal, Bitcoin and all major credit cards, is aimed primarily at enterprises engaged in repetitive, automated activity that often results in an IP address being temporarily blocked — such as data scraping, or mass-creating new accounts at some service online.

In response to a report about the data exposure from KrebsOnSecurity, Microleaves said it was grateful for being notified about a “very serious issue regarding our customer information.”

Abhishek Gupta is the PR and marketing manager for Microleaves, which he said in the process of being rebranded to “Shifter.io.” Gupta said the report qualified as a “medium” severity security issue in Shifter’s brand new bug bounty program (the site makes no mention of a bug bounty), which he said offers up to $2,000 for reporting data exposure issues like the one they just fixed. KrebsOnSecurity declined the offer and requested that Shifter donate the amount to the Electronic Frontier Foundation (EFF), a digital rights group.

From its inception nearly a decade ago, Microleaves has claimed to lease between 20-30 million IPs via its service at any time. Riley Kilmer, co-founder of the proxy-tracking service Spur.us, said that 20-30 million number might be accurate for Shifter if measured across a six-month time…

Source…

Tag Archive for: Proxy