In a coordinated effort, Lumen Technologies\u2019 Black Lotus Labs, the U.S. Department of Justice (DOJ), the Federal Bureau of Investigation (FBI<\/a>), and the Dutch National Police have dismantled a sophisticated criminal proxy network that has operated since 2004. <\/p>\n The botnet, tracked by Black Lotus Labs for over a year, infected thousands of Internet of Things<\/a> (IoT) and end-of-life (EoL) devices, creating a veil of anonymity for malicious actors engaging in activities such as ad fraud, DDoS attacks, brute-forcing, and data exploitation.<\/p>\n The botnet, powered by malware targeting unpatched IoT and small office\/home office (SOHO) devices in residential IP spaces, maintained an average of 1,000 unique bots weekly, communicating with command-and-control (C2) servers located in Turkey. <\/p>\n Over 50% of the infected devices were in the United States, with Canada and Ecuador following as significant infection hubs. The botnet\u2019s operators claimed a daily pool of 7,000 proxies, though Black Lotus Labs\u2019 telemetry suggests a smaller but highly effective network.<\/p>\n The C2 infrastructure comprised five servers, four of which used HTTP port 80 for victim communication, while one leveraged UDP port 1443 for data collection. <\/p>\n The botnet\u2019s longevity and low detection rate only 10% of its proxies were flagged by tools like VirusTotal stemmed from its focus on EoL devices, which lack vendor support and cannot be patched. <\/p>\n By exploiting known vulnerabilities rather than zero-day flaws, the operators maintained bot lifecycles averaging over a week, ensuring stability and anonymity for users.<\/p>\n According to the Lumen report<\/a>, \u201ca wide variety of infected IoT device types, indicating this botnet is likely using several exploits to obtain new victims, though we do not assess the operators are using zero or one-day vulnerabilities at this time.\u201d<\/p>\n The proxy service operated on a \u201crent-a-proxy\u201d model, accepting cryptocurrency payments and providing users with IP addresses and ports valid for 24 hours. <\/p>\n Notably, the service required no authentication, allowing unrestricted access to proxies once discovered, a tactic reminiscent of other botnets like NSOCKS and Faceless.<\/p>\n This open-access policy amplified the botnet\u2019s threat, enabling a wide range of malicious actors to exploit it for free. The operators also performed deny-list checks, ensuring proxies evaded common monitoring tools, further complicating detection.<\/p>\n Lumen disrupted the botnet by null-routing all traffic to and from its C2 servers<\/a> across its global backbone, effectively dismantling the known infrastructure. <\/p>\n The operation was supported by intelligence from Spur and built on earlier findings from CERT Orange Polska\u2019s 2023 report. Black Lotus Labs has published indicators of compromise (IoCs) and C2 details on its GitHub page<\/a> to aid defenders.<\/p>\n Proxy botnets exploiting residential IPs remain a persistent threat, particularly as EoL devices and IoT adoption grow. <\/p>\n Black Lotus Labs highlighted the challenge of detecting such traffic, which blends seamlessly with legitimate residential activity. The firm recommends that corporate defenders monitor for suspicious login attempts, block known proxy IPs, and deploy advanced countermeasures.<\/p>\n For consumers, best practices include rebooting routers, applying security updates, replacing EoL devices, and securing management interfaces.<\/p>\n Lumen commended the FBI and Dutch National Police for their roles in the takedown and emphasized ongoing collaboration with law enforcement to target similar networks.<\/p>\n The post 20 Years old Proxy Botnet Network Dismantled That Exploits 1000 Unique Unpatched Devices Weekly<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiz_Wz2wjuKidOFYiosh1aC_Ja3kLmvnuJZeKHXlN5M4dJSwZYgM0X9L3vCAxe2U9BVXqCRzAbMAmQUGM_hk42xkCAyE8w-3LoqQR1pMuRdYGjGUQs0febVq3bXSpOiIbv1-k5yUnhUJgzHG3ELX9atAlMgljhzAlXoviecKcjkhOLQKGVgAHj0JQnSlpiH\/s16000\/socks1.jpg?ssl=1\")
Botnet Operations and Infrastructure<\/strong><\/h2>\n
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjSSXPcLPDJzvp2Kip0UnkS5lKbzAHf6pTGvp_HlisNrpOx-10yH_7t7ny_iFk8-SeKVZC0St3bJPc59RMKqGaOQg8MyFtBZGfuDqW7Km_LlxNgFvqekn-BnmcIcbj8vSec-K_eYzzgGmL98FA84YPnlORI5Lpp-y31yL-UzGBsTnT2mZI43pcAZ5dQ9ivP\/s16000\/socks3.jpg?ssl=1\")
Proxy-as-a-Service Model<\/strong><\/h2>\n
Are you from the SOC and DFIR Teams? \u2013 Analyse Real time Malware Incidents with ANY.RUN ->\u00a0Start Now for Free<\/a>.<\/strong><\/code><\/strong><\/p>\n