International operation eliminates Russian RSOCKS botnet • The Register


A Russian botnet known as RSOCKS has been shut down by the US Department of Justice working with law enforcement partners in Germany, the Netherlands and the UK. It is believed to have compromised millions of computers and other devices worldwide.

The RSOCKS botnet operated as an IP proxy service, but instead of offering legitimate IP addresses leased from ISPs, it allowed criminals to access the IP addresses of malware-compromised devices, according to a report. U.S. Attorney’s statement. Office in the Southern District of California.

It appears that RSOCKS initially targeted a variety of Internet of Things (IoT) devices, such as industrial control systems, routers, audio/video streaming devices, and various internet-connected devices, before moving on. extend to other terminals such as Android devices and computer systems.

The DoJ said RSOCKS botnet operators were able to compromise target devices simply by conducting brute force attacks rather than taking advantage of software security vulnerabilities.

Security experts and analysts have been warning for many years of the threat posed by IoT devices, especially those aimed at consumers who don’t know or care much about security settings or applying updates. software updates as soon as possible, although even large companies are known. become careless too.

According to the DoJ, cybercriminals who wanted to use the RSOCKS platform could simply access a web storefront that allowed them to pay for access to a pool of proxies for a specified period of time, with prices ranging from $30 per day. for access to 2,000 proxies at $200 per day to access 90,000 proxies.

The RSOCKS website now bears a statement that the site was seized by the FBI pursuant to a seizure warrant obtained by the DoJ and the US Attorney’s Office, but an archival copy of the website available on the Internet Archive from Wayback Machine shows it looked like another proxy service storefront.

The DoJ believes that RSOCKS users were carrying out various illicit activities, including attacks on authentication services through credential stuffing or sending malicious emails such as phishing messages.

It appears that FBI investigators used the simple tactic of buying access to RSOCKS in order to get inside and identify its backend infrastructure and victims. The initial sting operation dates back to 2017 and identified around 325,000 compromised devices worldwide.

According to the DoJ, victims of the RSOCKS botnet included a number of large public and private organizations, including a university, hotel, television studio, and electronics manufacturer, as well as home-based businesses and numerous individuals. ®


Comments are closed.