Law enforcement agencies from the United States and three other countries have shut down a botnet operated by Russian cybercriminals and leased out to other hackers for malicious uses, the Justice Department announced.
The DOJ said the RSOCKS botnet, made up of millions of compromised devices, was allegedly rented out to other criminal groups to mask their web traffic and conduct cyberattacks.
Authorities believed that criminals paying for access to the botnet used it to hide their identities when accessing compromised social media accounts to send malicious emails, including phishing emails, and to launch large-scale attacks against authentication services, known as credential stuffing.
The Russian operators of RSOCKS initially targeted Internet of Things devices to build the botnet. Still, the DOJ said they later compromised a broad range of internet-connected devices, including industrial control systems, routers, video streaming devices, and even smart garage door openers.
The Russian criminal group rented out access to the massive botnet through a storefront on a website. Customers could pay for access on a daily, weekly, or monthly basis, and the cost ranged from $30 per day for access to 2,000 compromised devices to $200 per day for access to 90,000 devices, the DOJ said.
FBI investigators used undercover purchases to obtain access to the RSOCKS botnet and identify its back-end infrastructure and its victims, the DOJ said. An early 2017 undercover purchase identified about 325,000 compromised devices at the time.
When criminals use botnet devices as relays or proxy servers, they make it tricky for companies to identify malicious web traffic, said Elizabeth Wharton, vice president of operations at cybersecurity provider SCYTHE.
“Using these devices as proxy servers is another example of how threat actors weaponize internet-connected devices to evade detection,” she said. “By using the device as a proxy server to create a local IP address, the malicious activity will likely go undetected because it doesn’t trigger an alert.”
Several cybersecurity experts praised the efforts of the DOJ and law enforcement agencies in Germany, the Netherlands, and the United Kingdom to disrupt the botnet. A takedown of a hacking group is “always a good thing,” said Josh Smith, an analyst at cybersecurity provider Nuspire. However, some botnets spring back up later.
“With the takedown, RSOCKS has been significantly crippled,” he told the Washington Examiner. “Unfortunately, we’ve seen botnets … shut down before but then resurface over time. Time will tell if this botnet will rebuild or rebrand or will stay shut down.”
The disruption of RSOCKS will have a positive impact on cybersecurity in the short term, added Brian Contos, chief security officer of Phosphorus, an IoT cybersecurity provider.
“Since this botnet appears to have been used for credential stuffing attacks, malicious spam, and fake social media accounts, the criminal groups engaged in those activities will have to replace part of their infrastructure to continue with those attacks,” he told the Washington Examiner. “However, this probably won’t take them very long.”
And IoT-based botnets are “extremely easy” for criminal groups to set up, he added. “Disrupting botnets is a game of whack-a-mole,” he said. “To say IoT devices are vulnerable and an easy target for criminal hackers is an understatement.”
Phosphorus’s research found that 50% of all deployed IoT devices still have their default passwords and 70% have significant vulnerabilities in their firmware.
Smith agreed, saying the Russian criminal group was aided in building the botnet by poor IoT security. Many of the millions of IoT devices connected to the internet come with weak security, such as “admin” for both the username and password, he noted.
“IoT devices often get connected by users and forgotten about,” Smith said. “Owners need to be mindful of their network’s digital footprint and ensure that these IoT devices are receiving proper firmware updates as released by the vendor.”