Water Barghest Sells Hijacked IoT Devices for Proxy Botnet Misuse

  /     /     /  
Publicated : 23/11/2024   Category : security


Water Barghest Sells Hijacked IoT Devices for Proxy Botnet Misuse


An elusive, sophisticated cybercriminal group has used known and zero-day vulnerabilities to compromise more than 20,000 SOHO routers and other IoT devices so far, and then puts them up for sale on a residential proxy marketplace for state-sponsored cyber-espionage actors and others to use.



A cybercriminal group is exploiting vulnerabilities in
Internet of Things (IoT) devices
and then turning a tidy profit by putting them up for sale on a residential proxy marketplace, where they can be turned into proxy botnets by state-sponsored advance persistent threats (APTs) and other malicious actors.
The gang, tracked as Water Barghest, has already compromised more than 20,000 IoT devices, including
small office and home office (SOHO) routers used by businesses
, by using automated scripts to identify and compromise vulnerable devices, according to
new research
from Trend Micro. The threat actor, which has operated for more than five years (largely under the radar due to a sophisticated automation strategy) discovers vulnerable IoT devices from public Internet-scanning databases such as Shodan, the researchers noted.
Once Water Barghest compromises devices, it deploys proprietary malware called Ngioweb to register the device as a proxy — i.e., a network that puts an intermediary between a client and a server. Water Barghest then lists the device for sale on a residential proxy marketplace for other threat actors to purchase.
The entire cybercriminal process to enslave a target takes as little as 10 minutes, indicating a highly efficient and automated operation, Trend Micro researchers Feike Hacquebord and Fernando Mercês wrote in the post.
There is indeed a significant incentive for both espionage-motivated and financially motivated actors to set up proxy botnets to help hide where their malicious activities originate; Russias
Sandworm
, for example, recently used the
VPNFilter botnet
and
Cyclops Blink
in activities
against Ukraine
that were elusive for a time before being ultimately disrupted by the FBI, according to Trend Micro.
These [botnets] can serve as an anonymization layer, which can provide plausibly geolocated IP addresses to scrape contents of websites, access stolen or compromised online assets, and launch cyberattacks, the researchers wrote.
Threat actors can find any IoT device that accepts incoming connections on the open Internet using public scanning services, making it easy for them to compromise ones with known vulnerabilities, or even zero-days, for future use in malicious activities, they wrote. This makes it easy for threat actors like Water Barghest to exploit them for financial gain and further abuse, they added.
Trend Micro discovered Water Barghests operation during an investigation of the Department of Justices disruption of
a Russian military intelligence botnet
that Russian state-sponsored threat group
Fancy Bear
(aka APT28) used for global cyber espionage.
The researchers examined EdgeRouter devices that had been used by Sandworm, and eventually uncovered Water Barghests Ngioweb malware and botnet. The groups infrastructure had been up and running for more than five years but had been able to evade detection by security researchers and law enforcement because of their careful operational security and high degree of automation, the researchers wrote.
They quietly erased log files from their servers and made forensic analysis more difficult, they wrote. They removed human error from their operations by automating almost everything. They also removed financial traceability by using cryptocurrency for anonymous payments.
Water Barghest automates each step of the 10-minute process, from initially finding vulnerable IoT devices to ultimately putting them for sale on a residential proxy marketplace. The group first acquires known exploits for flaws in devices, then uses search queries on one of the publicly available Internet-scanning databases to find vulnerable devices and their IP addresses. It then uses a set of data center IP addresses to try the exploits against potentially vulnerable IoT devices.
When one works, the compromised IoT devices download a script that iterates through Ngioweb malware samples compiled for different Linux architectures. When one of the samples runs successfully, Ngioweb will run in memory on the victim’s IoT device, registering it with a command-and-control (C2) server, and then eventually sending it to be listed on a Dark Web marketplace.
Water Barghest has about 17 identities on virtual private servers that continuously scan routers and IoT devices for known vulnerabilities and also upload Ngioweb malware to freshly compromised IoT devices. In this way, Water Barghest has been running a profitable business for years, with the worker IP addresses changing slowly over time, according to the Trend Micro analysis.
Trend Micro expects that both the commercial market for residential proxy services and the underground market of proxies will grow in the coming years due to high demand from both APTs and financial cybercriminal groups alike. This growth will pose a challenge for many enterprises and government organizations around the world to protect against the anonymization layers behind which these groups hide, the researchers wrote.
While law enforcement has been
effective in disrupting proxy botnets
, its better to go directly to the source to combat the problem, and that can be done by addressing the security of IoT devices. Indeed, these devices are
notoriously hackable
, posing a problem for organizations that must manage increasingly larger networks of them.
It is important [for organizations] … to put mitigations in place to avoid their infrastructure being part of the problem itself, the researchers wrote. They can do this, they added, by limiting the exposure of these devices to incoming connections from the open Internet whenever it is not business-essential.

Last News

▸ Scan suggests Heartbleed patches may not have been successful. ◂
Discovered: 23/12/2024
Category: security

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Water Barghest Sells Hijacked IoT Devices for Proxy Botnet Misuse