The US Department of Justice (DOJ), in partnership with law enforcement agencies from several European countries, has taken down a major Russian botnet that had compromised millions of devices worldwide. The botnet was essentially functioning as an underground proxy service provider for criminals, allowing for rental of the IP addresses attached to its collection of hacked IoT devices, Android phones and computers.
Russian botnet rented access to thousands of proxies for as little as $30 per day
RSOCKS is a Russian botnet that has been active since at least 2014, the first point at which its handlers began to advertise it openly on underground forums in the country. Over the years the botnet has amassed millions of devices in its collection, first focusing on compromising poorly secured Internet of Things (IoT) devices but soon moving on to include Android phones/tablets and even computers.
Illicit actors rented access to RSOCKS as a proxy service, primarily for the purpose of brute force / password guessing login campaigns, disguising the sources of traffic for phishing campaigns, and distributed denial of service (DDoS) attacks. This was as simple as accessing a dark web storefront that allowed rental of varying amounts of proxies by the day, ranging in price from $30 for 2,000 to $200 for 90,000.
Tom Garrubba (Risk, Cyber, and Privacy Executive, Shared Assessments) expands on the risk that these bogus proxy services present, and why takedowns of the ones of the magnitude of the Russian botnet are a major cybersecurity win: “It is great to see that law enforcement is making progress towards taking down these large botnets as of late. Botnets are so dangerous because they control large swaths of vulnerable computer systems at a scale unlike any other attack. Those infected computer pools can then be pointed at legitimate resources and cause havoc. Botnets can perform very disruptive attacks like Distributed Denial of Service or large-scale vulnerability exploitation to sell to initial access brokers who will later lend that access to ransomware gangs.”
There are legitimate proxy services in the world, but they cut off customers for engaging in the sort of cyber criminal activities that RSOCKS customers came for. The takedown of the notorious Russian botnet has been simmering for a long time, getting underway in 2017 when members of the Federal Bureau of Investigation (FBI) began renting access to the underground proxy service to probe its backend infrastructure and identify victims. The count at the time was about 325,000 devices around the world; RSOCKS had since doubled that number several times.
The Russian botnet reportedly grew to its massive size exponentially, conducting brute force login attempts against new victims by using the devices it had already collected. These attempts were very likely fed by the long lists of compromised usernames and passwords that have been dumped to the internet in the wake of data breaches. The FBI initially approached several compromised businesses in the San Diego area and asked their permission to replace the hacked devices with controlled honeypots that could be monitored to uncover more information about the illicit proxy service’s internal workings.
Outlaw proxy service seized, mastermind potentially unmasked
The DOJ worked with law enforcement in Germany, the Netherlands and the United Kingdom to seize infrastructure belonging to the Russian botnet’s operation, essentially putting it out of business.
KrebsOnSecurity is reporting that it has identified the owner of RSOCKS as Denis Kloster, a prominent spammer who has been tied to cyber crime ventures dating back as far as 2005. In addition to heading up the Russian botnet, Kloster also runs the world’s most-used forum for professional forum for spammers and scammers, a site called RUSDot.
Kloster is also the former owner of Spamdot, which was the world’s leading spam and cyber crime forum until it disintegrated in 2010 after its exploits in organizing counterfeit pharmaceutical scams brought too much heat. He is a native Russian and an apparent former resident of Omsk, but now claims to live abroad and travel internationally.
The takedown of the Russian botnet is part of what appears to be a small campaign by US authorities to target the most prominent of these illicit proxy services. It follows an April operation by the FBI to take down the Cyclops Blink botnet, one that had been tied to Russian intelligence services. Cyclops Blink was thought to be the tool of the “Sandworm” advanced persistent threat group that was credited with the 2017 NotPetya ransomware outbreak as well as assorted attacks on Ukraine’s critical infrastructure. That botnet was discovered in early 2022, but evidence indicates that it had been in operation since 2019. It spread primarily by attacking known vulnerabilities in WatchGuard Firebox firewall appliances and a number of ASUS routers.
The existence of this illicit proxy service, the length of time it was able to operate and the massive size it grew to (reportedly about eight million devices worldwide prior to the takedown) all serve as yet another illustration of the need for immediate and major improvements in IoT security. This is particularly important as more and more components of homes and businesses go “smart” and internet-connected. Troubles with IoT devices range from failure to regularly patch them for developing security issues, to simply not putting adequate security in place to begin with.
As Garret Grajek, CEO of YouAttest, notes, botnets of this nature have grown to such a size that they now threaten to make up the majority of all internet traffic in the near future: “Botnets are a major international concern – and one of the major problems facing internet availability and internet security today – with the Barracuda network investigation revealing 39% of all traffic is malicious bots. These bots are scanning our machines, looking for vulnerabilities, and then deploying to our systems and communicating back to their designated C2s (hacker command and control centers). Enterprise must be aware that this is occurring and acknowledge that vulnerabilities and zero day hacks WILL be discovered. Secure identity governance is needed, since hackers will exploit compromised identities and raise privileges.”