Cybercrime , Endpoint Security , Fraud Management & Cybercrime

Suspected Russian Hackers Infect 20,000 IoT Devices

Water Barghest Group Lists Infected Devices Within 10 Minutes of Initial Compromise
Suspected Russian Hackers Infect 20,000 IoT Devices
Image: Shutterstock

A threat actor with suspected ties to Russian nation-state hackers has listed thousands of vulnerable IoT devices as proxy networks within minutes of their initial compromise. A campaign that began in 2020 has so far infected 20,000 IoT devices, according to security firm Trend Micro.

See Also: 5 Requirements to Stay Afloat in the SIEM Storm

Trend Micro uncovered a proxy botnet campaign that it attributed to a threat group tracked as Water Barghest that uses automated tools to scale up its activities - enabling the hacker to list the compromised devices on a proxy marketplace for renting almost immediately.

"The whole procedure between initial infection and making the bot available as a proxy on the marketplace may take no longer than 10 minutes," Trend Micro said.

Proxies listed by Water Barghest are marketed to other cybercriminals - as well as nation-state hackers - to aid in anonymization of their activities with "plausibly geolocated IP addresses to scrape contents of websites, access stolen or compromised online assets, and launch cyberattacks."

Trend Micro uncovered the campaign after the FBI in January took down a botnet infrastructure used by Pawn Storm for anonymization and other malicious cybercrime activities. The threat group also known as APT28 and Forest Blizzard is an advanced persistent threat actor linked to the Russian GRU Military Unit 26165.

"During our investigation, we got our hands on a couple of the EdgeRouter devices that had been used by Pawn Storm. This led us to the discovery of the Ngioweb botnet of Water Barghest," Trend Micro said.

Ngioweb is a multifunctional proxy server botnet first spotted in 2017. In the latest campaign, Water Barghest is deploying a new version of the malware, which has been active since 2020. The campaign has infected EdgeRouter, Cisco, DrayTek, Fritz!Box and Linksys devices mainly located in the U.S., the report said.

The campaign begins with hackers obtaining IoT device vulnerabilities, which include n-days and zero-days. Water Barghest then scans public databases such as Shodan to find vulnerable devices and their IP addresses.

After gaining information about vulnerable IP addresses, the hackers proceed to exploit the flaws within the IoT devices. Once successful, they then deploy the malware in IoT device memory.

"This means that the infection is not persistent. A reboot would remove the infection," Trend Micro said.

Once installed, the malware establishes a connection with command-and-control servers for a "speed test and name server test," and that information is automatically sent to the marketplace and listed for sale, Trend Micro said.

Although law enforcement actions on similar services such as VPNFilter botnet and Cyclops Blink did result in a slump in malicious activities using proxy services, Trend Miro says any IoT devices accepting connection requests from the internet will continue to remain susceptible to such hacks.

Since there is a high demand for such services, especially from APT groups to obscure their activities, the company also predicted groups such as Water Barghest will continue to compromise IoT devices.

"It is important not to expose IoT devices to incoming internet connections whenever it is not business-essential, and put mitigations in place to avoid their infrastructure being part of the problem itself," Trend Micro said.


About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing devicesecurity.io, you agree to our use of cookies.