After hacking millions of devices, DoJ operation shuts down RSocks botnet
The botnet, disguised as a proxy service, infiltrated millions of devices around the worldBy Jimmy Pezzone 11 comments
The big picture: The U.S. Department of Justice (DoJ) recently disclosed a worldwide effort to dismantle the infrastructure of RSOCKS, a large Russian-based botnet disguised as a proxy service. The DoJ worked with law enforcement from the U.K., Germany, and the Netherlands in the coordinated effort to disrupt the organization's operations. The botnet, which sold the IPs of hacked devices to users of its proxy service, included millions of devices around the world ranging from garage door openers to IoT devices. The seizure is the result of investigations dating back to 2017.
The RSOCKS botnet originally targeted IoT devices such as industrial control systems, clocks, streaming devices, etc. As the botnet grew, it expanded to include standard desktop, laptop, and Android-based devices. IPs from these devices were collected, stored, and sold to any hacker willing to pay the asking price via a Web-based storefront. Using this storefront, RSOCKS hackers were charged anywhere from $30 on the low end to $200 per day for access to 2,000 to 90,000 proxies, respectively.
Once purchased, the hackers were given the opportunity to download a list of IP addresses used to route malicious traffic across legitimate devices, allowing them to hide the traffic's true origination point. The site has since been seized by the DoJ and now redirects users to the following message and link for additional information.
The Federal Bureau of Investigation (FBI) began investigating RSOCKS and conducted several undercover purchases in early 2017. The purchases provided the investigators with access to the RSOCKS botnet, leading them to identify 325,000 devices that were compromised via brute force attacks. The impacted devices included large entities such as a university, hotel, television station, and an electronics manufacturer as well as numerous small businesses and individuals. Several identified victims were contacted and later worked with Federal investigators to replace their compromised devices with honeypots to further aid the investigation efforts.
Botnets are large pools of infected devices used to carry out any number of attacks against legitimate targets. Infected devices, also referred to as zombies, provide hackers with the ability to read and write data, obtain personal data, monitor activity, search for additional vulnerabilities, and install & run other applications on the device, all without the owner's consent. The infected devices can also be used to distribute malicious traffic while hiding the information's true origin point.
The FBI continues to actively identify, investigate, and counter cyber threats by partnering with enforcement agencies around the world. Any victims of cybercrime are encouraged to contact and report cyber incidents through the Internet Crimes Complaint Center (IC3). The site provides impacted parties with the tools to file a complaint as well as information to help determine who should file, what should be filed, and what happens once a complaint is filed.
Image credit: Global network by royyimzy25414