Feds Disrupt Proxy-for-Hire Botnet, Indict Four Alleged Net Miscreants

The FBI also issued a list of end-of-life routers you need to replace

Earlier this week, the FBI urged folks to bin aging routers vulnerable to hijacking, citing ongoing attacks linked to TheMoon malware. In a related move, the US Department of Justice unsealed indictments against four foreign nationals accused of running a long-running proxy-for-hire network that exploited outdated routers to funnel criminal traffic.

In a FLASH bulletin [PDF] on Wednesday, the FBI warned that aging routers from Linksys, Ericsson, and Cisco, commonly found in homes and small businesses, were being actively targeted by cybercriminals.

These devices, long past their update window, were compromised and made available for sale as part of a criminal proxy network marketed through the 5socks and Anyproxy domains. The botnet provided anonymity to malicious users and enabled a range of cybercrime, including distributed denial of service (DDoS) attacks, according to federal investigators and security researchers.

Vulnerable Routers: Is Your Device at Risk?

Here are the dusty old routers you need to watch out for:

• Linksys E1200, E2500, E1000, E4200, E1500, E300, E3200, E1550 and WRT320N, WRT310N, WRT610N kit
• The Ericsson Cradlepoint E100 router
• The Cisco Valet M10

Operation Moonlander: Taking Down the Botnet

A DoJ indictment issued on Friday offered more details on how the botnets allegedly operated. The operators charged between $9.95 and $110 per month for access to what they claimed were over 7,000 residential proxies, the indictment claims. Prosecutors believe the scheme pulled in more than $46 million, with the website boasting it had been "Working since 2004!"

Not anymore, since the domain running the attacks has been seized in what the Feds are calling Operation Moonlander.

Related Router Security Issues

• Hm, why are so many DrayTek routers stuck in a bootloop?
• Expired Juniper routers find new life – as Chinese spy hubs
• Mystery miscreant remotely bricked 600,000 SOHO routers with malicious firmware update
• That home router botnet the Feds took down? Moscow's probably going to try again

TheMoon Malware: How Routers Are Infected

A separate FBI PSA issued Wednesday described a wave of router infections using TheMoon malware, consistent with the timing of the domain seizure takedown. TheMoon, first identified in 2014, is notorious for infecting routers via open ports and vulnerable scripts. In March 2024, it compromised over 6,000 Asus routers in under 72 hours as part of a proxy-building campaign.

"TheMoon does not require a password to infect routers; it scans for open ports and sends a command to a vulnerable script," the FBI PSA explains. "The malware contacts the command and control (C2) server and the C2 server responds with instructions, which may include instructing the infected machine to scan for other vulnerable routers to spread the infection and expand the network."

The Indictments: Who Was Involved?

Three Russian nationals - Alexey Viktorovich Chertkov, 37, Kirill Vladimirovich Morozov, 41, Aleksandr Aleksandrovich Shishkin, 36 - and a Kazakhstani associate Dmitriy Rubtsov, 38 - were named in the Friday indictment. Chertkov and Rubtsov were also charged with providing false registration information when signing up the domains used to operate the proxy services.

International Collaboration: A Global Effort

The indictments are a result of a combined operation between European and US law enforcement, as well as with support from Lumen's Black Lotus Labs. The operators exploited outdated routers and maintained a relatively low operational footprint - despite advertising access to thousands of proxies - to avoid detection.

"The botnet operators claim that they maintain a daily population of over 7,000 proxies. Based on Black Lotus Labs’ telemetry, we can see an average of about 1,000 weekly active proxies in over 80 countries, however we believe their true bot population is less than advertised to potential users," the security shop said.

Protecting Your Network: Steps to Take Now

The disruption of this botnet serves as a critical reminder of the importance of network security. Here are actionable steps you can take to protect your home or business network:

• Replace End-of-Life Routers: Check the list provided by the FBI and replace any vulnerable models immediately.
• Enable Automatic Updates: Ensure your router's firmware is set to update automatically to patch security vulnerabilities.
• Use Strong Passwords: Change the default password on your router to a strong, unique password.
• Disable Remote Access: Unless necessary, disable remote access to your router's settings.
• Monitor Network Traffic: Keep an eye on your network for unusual activity that could indicate a compromise.

The Future of Botnet Security

The takedown of the proxy-for-hire botnet is a significant victory, but it's also a reminder that cybercriminals are constantly evolving their tactics. Staying informed about the latest threats and taking proactive steps to secure your network is essential in the ongoing battle against cybercrime.