Malware hunters at Lumen Technologies on Tuesday sounded an alarm after discovering a 40,000-strong botnet packed with end-of-life routers and IoT devices being used in cybercriminal activities.
According to new documentation from Lumen’s Black Lotus Labs, a notorious cybercriminal group has been running a multi-year campaign targeting end-of-life small home/small office (SOHO) routers and IoT devices around the world.
The router botnet, first seen in 2014, has been operating quietly while growing to more than 40,000 bots from 88 countries in January and February of 2024, the researchers warned.
“The majority of these bots are used as the foundation of a notorious, cybercriminal-focused proxy service, known as Faceless. Our latest tracking has shown [the botnet] has enabled Faceless’ growth at a rate of nearly 7,000 new users per week.”
The Black Lotus Labs researchers said they identified the logical map of the group’s proxy service, including a campaign that began in the first week of March 2024 that targeted over 6,000 ASUS routers in less than 72 hours.
The researchers noted that the SOHO/IoT based activity cluster was observed communicating with tens of thousands of distinct IP addresses per week. “Our analysis indicates that the operators behind this botnet were enrolling the compromised end of life (EoL) devices into an established residential proxy service called Faceless,” the Black Lotus Labs team said, warning that it has become “a formidable proxy service that rose from the ashes of the “iSocks” anonymity service and has become an integral tool for cybercriminals in obfuscating their activity.”
The researchers believe the targeting of end-of-life IoT devices around the globe is deliberate, as they are no longer supported by the manufacturer and known security vulnerabilities go unpatched.
“There is also the potential that devices such as these may sometimes be forgotten or abandoned,” the researchers warned
The Black Lotus Labs researchers are recommending that corporate network defenders look for attacks on weak credentials and suspicious login attempts, even when they originate from residential IP addresses which bypass geofencing and ASN based blocking.
Security practitioners should also protect cloud assets from communicating with bots that are attempting to perform password spraying attacks and begin blocking IoCs with Web Application Firewalls.
Related: FBI Disrupts Ubiquiti Router Botnet Controlled by Russian Hackers
Related: US Gov Disrupts SOHO Router Botnet Used by China’s Volt Typhoon
Related: Chinese APT Volt Typhoon Linked to Unkillable SOHO Router Botnet
Related: AWS Using MadPot Decoy System to Disrupt APTs, Botnets