The dangerous global botnet that powers private proxies is being hit hard
- Security researchers from Lumen’s Black Lotus spent over a year investigating the ngioweb botnet
- Once the company identified the infrastructure and traffic, it began blocking the data flow
- This will seriously disrupt the botnet and the proxy service NSOCKS
Security researchers have disrupted a large malicious botnet, damaging the proxy service it powers.
Cybersecurity researchers at Lumen’s Black Lotus have released a new one report They said they were blocking all traffic through their global network going to or from the dedicated infrastructure associated with the ‘ngioweb’ botnet.
First spotted in mid-2023, the Ngioweb botnet was operating more than 35,000 bots (essentially compromised endpoints) every day. The bots were located in 180 countries and were primarily used to power the NSOCKS proxy service. This “notorious criminal proxy service,” as Black Lotus describes it, is linked to the threat actor known as Muddled Libra. There is also evidence that the proxy was used by state-sponsored threat actors such as APT28 (also known as FancyBear, a well-known Russian threat actor).
Disrupting the operation
“At least 80% of the NSOCKS bots in our telemetry come from the ngioweb botnet, primarily using small office/home office (SOHO) routers and IoT devices. Two-thirds of these proxies are based in the US,” the researchers said.
A proxy service allows threat actors to carry out various malicious campaigns, while hiding their true identity and location, by using a ‘proxy’ – or an intermediary.
In addition to acting as a proxy, the ngioweb botnet can also be used to conduct disruptive Distributed Denial of Service (DDoS) attacks.
Lumen took more than a year to analyze the botnet and its activities, and while it couldn’t conclude exactly how the hardware was compromised, it speculated that it was most likely due to various n-day vulnerabilities.
At the time of writing, the NSOCKS proxy and the underlying ngioweb botnet are being heavily disrupted by Lumen and its partners, as the researchers have found both the botnet architecture and the traffic.
Via BleepingComputer