A notorious cybercriminal group known as "Water Barghest" has been exploiting vulnerabilities in Internet of Things (IoT) devices, profiting by listing these compromised devices on residential proxy marketplaces. This allows attackers, including state-sponsored advanced persistent threats (APTs), to leverage these devices as proxy botnets.

Overview of Water Barghest's Operations

Research conducted by Trend Micro has revealed that Water Barghest has already compromised over 20,000 IoT devices. Using automated tools, the group identifies and breaches SOHO routers and other vulnerable devices, with operations spanning more than five years due to a sophisticated automation strategy. They identify susceptible devices through public Internet-scanning databases like Shodan. Upon compromising a device, Water Barghest installs malware called Ngioweb to convert it into a proxy, effectively creating an intermediary network. These altered devices are then offered for sale on a residential proxy marketplace, making them accessible to other cybercriminals. The entire process, from breach to sale listing, can be completed in roughly 10 minutes, showcasing the efficiency of the group's automated methods, according to Trend Micro experts Feike Hacquebord and Fernando Mercês.

Proxy Botnets as a Cybercrime Business Model

Proxy botnets are appealing to various malicious actors, both for espionage and financial motives, as they obscure the origin of cyberattacks. For instance, Russian entities such as Sandworm have used similar botnet strategies in operations against Ukraine, leveraging the anonymity provided by this approach. These botnets function as anonymization layers, anonymizing IP addresses and enabling activities like website scraping or launching cyberattacks. The ease with which public scanning services can be used to locate IoT devices with exploitable vulnerabilities adds to their attractiveness for threat actors like Water Barghest.

Unveiling the Botnet Operations

Trend Micro uncovered the operation of Water Barghest during an investigation into Russian intelligence-related botnets operated by APT28 (Fancy Bear). Throughout this probe, researchers stumbled upon the clandestine network, accessible due to the EdgeRouter devices exploited by Sandworm. For over five years, Water Barghest evaded detection by employing stringent operational security measures and automating nearly every aspect of their operation. They removed any financial trail using cryptocurrency payments and made forensic analysis challenging by erasing server logs.

Sophisticated, Automated Attack Strategy

The process outlined by Water Barghest involves utilizing known exploits to breach IoT devices, leveraging public databases to pinpoint vulnerable targets. Successful breaches see the IoT devices fetch and execute Ngioweb malware, which runs in memory and registers with a command-and-control (C2) server, before being sold on a Dark Web marketplace. The group operates using approximately 17 different identities on virtual private servers that continuously scan for vulnerabilities.

Enhancing Security for IoT Devices

As demand for proxy services and botnets grows, the challenge of countering these camps will increase, affecting both businesses and government entities. Addressing the root of the problem – the security of IoT devices – remains a priority. To avoid their infrastructure falling prey to such threats, organizations should take steps to minimize IoT devices' exposure to unnecessary Internet-based connections. Implementing these mitigations will be crucial in preventing their networks from being exploited as part of malicious proxy networks.

The link has been copied!