IoT Botnet Hijacks 35,000 Devices to Power Massive Proxy Network

IoT Botnet Hijacks 35,000 Devices to Power Massive Proxy Network

Ngioweb Malware Powers Major Proxy Service Network

Recent findings from Lumen Technologies reveal that the Ngioweb malware is powering NSOCKS, a significant residential proxy service, along with other services like VN5Socks and Shopsocks5.

Key Points:
– The botnet maintains approximately 35,000 active bots daily, with 40% remaining active for over a month
– 80% of NSOCKS bots come from Ngioweb, primarily targeting SOHO routers and IoT devices
– Two-thirds of affected proxies are located in the United States

Technical Details:
– Ngioweb targets both Windows and Linux systems
– The botnet uses a two-tier architecture:
1. A loader network (15-20 nodes)
2. A loader-C2 node system for malware deployment
– Infection to proxy deployment takes as little as 10 minutes
– Affected devices include products from major vendors like NETGEAR, Zyxel, and Hikvision

Security Implications:
– NSOCKS sells proxy access at $0.20-$1.50 for 24-hour access
– The service enables users to choose from 180 countries for endpoints
– The infrastructure has been used in:
– Credential-stuffing attacks
– DDoS attacks
– Various cybercriminal activities

Mitigation:
Lumen Technologies has implemented blocks on all traffic associated with the Ngioweb botnet infrastructure to disrupt its operations.

The residential proxy service market is expected to grow, presenting increasing security challenges for organizations and highlighting the need for enhanced cybersecurity measures.

Share This Article