International operation takes down Russian RSOCKS botnet

$200 a day buys you 90,000 victims

A Russian operated botnet known as RSOCKS has been shut down by the US Department of Justice acting with law enforcement partners in Germany, the Netherlands and the UK. It is believed to have compromised millions of computers and other devices around the globe.

The RSOCKS botnet functioned as an IP proxy service, but instead of offering legitimate IP addresses leased from internet service providers, it was providing criminals with access to the IP addresses of devices that had been compromised by malware, according to a statement from the US Attorney’s Office in the Southern District of California.

It seems that RSOCKS initially targeted a variety of Internet of Things (IoT) devices, such as industrial control systems, routers, audio/video streaming devices and various internet connected appliances, before expanding into other endpoints such as Android devices and computer systems.

The DoJ said that the RSOCKS botnet operators managed to compromise target devices simply by conducting brute force attacks rather than taking advantage of any software security vulnerabilities.

Security experts and analysts have been warning for many years about the threat posed by IoT devices, especially those aimed at consumers who are unlikely to know or care much about security settings or applying software updates as soon as possible, although even large corporations have been known to get careless too.

According to the DoJ, cybercriminals who wanted to use the RSOCKS platform could simply access a web-based storefront which allowed them to pay for access to a pool of proxies for a specified time period, with prices ranging from $30 per day for access to 2,000 proxies to $200 per day for access to 90,000 proxies.

The RSOCKS website now bears a statement saying that the site has been seized by the FBI in accordance with a seizure warrant obtained by the DoJ and the US Attorney’s Office, but an archive copy of the website available on the Wayback Machine internet archive shows that it did look like just another proxy service storefront.

The DoJ believes that users of RSOCKS were conducting various illicit activities, including attacks against authentication services via credential stuffing, or sending malicious email such as phishing messages.

It appears that FBI investigators used the simple tactic of purchasing access to RSOCKS in order to get inside and identify its backend infrastructure and its victims. The initial undercover operation was as far back as 2017 and identified approximately 325,000 compromised devices throughout the world.

According to the DoJ, victims of the RSOCKS botnet included a number of large public and private organizations, including a university, a hotel, a television studio, and an electronics manufacturer, as well as home businesses and numerous individuals. ®

Other stories you might like

  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • 'Prolific' NetWalker extortionist pleads guilty to ransomware charges
    Canadian stole $21.5m from dozens of companies worldwide

    A former Canadian government employee has pleaded guilty in a US court to several charges related to his involvement with the NetWalker ransomware gang.

    On Tuesday, 34-year-old Sebastien Vachon-Desjardins admitted he conspired to commit computer and wire fraud, intentionally damaged a protected computer, and transmitted a demand in relation to damaging a protected computer. 

    He will also forfeit $21.5 million and 21 laptops, mobile phones, gaming consoles, and other devices, according to his plea agreement [PDF], which described Vachon-Desjardins as "one of the most prolific NetWalker Ransomware affiliates" responsible for extorting said millions of dollars from dozens of companies worldwide.

    Continue reading
  • Google battles bots, puts Workspace admins on alert
    No security alert fatigue here

    Google has added API security tools and Workspace (formerly G-Suite) admin alerts about potentially risky configuration changes such as super admin passwords resets.

    The API capabilities – aptly named "Advanced API Security" – are built on top of Apigee, the API management platform that the web giant bought for $625 million six years ago.

    As API data makes up an increasing amount of internet traffic – Cloudflare says more than 50 percent of all of the traffic it processes is API based, and it's growing twice as fast as traditional web traffic – API security becomes more important to enterprises. Malicious actors can use API calls to bypass network security measures and connect directly to backend systems or launch DDoS attacks.

    Continue reading

Biting the hand that feeds IT © 1998–2022