International Law Enforcement Partnership Takes Down Russian Botnet; Illicit Proxy Service Had Been Selling Hacked IP Addresses

The US Department of Justice (DOJ), in partnership with law enforcement agencies from several European countries, has taken down a major Russian botnet that had compromised millions of devices worldwide. The botnet was essentially functioning as an underground proxy service provider for criminals, allowing for rental of the IP addresses attached to its collection of hacked IoT devices, Android phones and computers.

Russian botnet rented access to thousands of proxies for as little as $30 per day

RSOCKS is a Russian botnet that has been active since at least 2014, the first point at which its handlers began to advertise it openly on underground forums in the country. Over the years the botnet has amassed millions of devices in its collection, first focusing on compromising poorly secured Internet of Things (IoT) devices but soon moving on to include Android phones/tablets and even computers.

Illicit actors rented access to RSOCKS as a proxy service, primarily for the purpose of brute force / password guessing login campaigns, disguising the sources of traffic for phishing campaigns, and distributed denial of service (DDoS) attacks. This was as simple as accessing a dark web storefront that allowed rental of varying amounts of proxies by the day, ranging in price from $30 for 2,000 to $200 for 90,000.

Tom Garrubba (Risk, Cyber, and Privacy Executive, Shared Assessments) expands on the risk that these bogus proxy services present, and why takedowns of the ones of the magnitude of the Russian botnet are a major cybersecurity win: “It is great to see that law enforcement is making progress towards taking down these large botnets as of late. Botnets are so dangerous because they control large swaths of vulnerable computer systems at a scale unlike any other attack. Those infected computer pools can then be pointed at legitimate resources and cause havoc. Botnets can perform very disruptive attacks like Distributed Denial of Service or large-scale vulnerability exploitation to sell to initial access brokers who will later lend that access to ransomware gangs.”

There are legitimate proxy services in the world, but they cut off customers for engaging in the sort of cyber criminal…