Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Threat Actor Turns Thousands of IoT Devices Into Residential Proxies

A threat actor tracked as Water Barghest has compromised over 20,000 IoT devices and monetizes them as residential proxies.

A threat actor is monetizing vulnerable Internet-of-Things (IoT) devices by infecting them with malware and listing them as residential proxies within minutes after exploitation, Trend Micro reports.

Tracked as Water Barghest, the adversary has compromised over 20,000 IoT devices to date, renting them to threat actors looking to anonymize their activities.

Active for at least five years, Water Barghest has remained under the radar by extensively relying on automation, erasing log files to cover its tracks, and only accepting cryptocurrency payments.

The threat actor acquires IoT device vulnerabilities (including zero-days), uses publicly available online scanners to identify vulnerable devices, and then attempts to exploit them from a set of data center IP addresses. Compromised devices are quickly monetized on specialized marketplaces.

“In the case of Water Barghest, we have seen that the time between exploiting an IoT device and putting them for sale on a residential proxy marketplace can be as little as 10 minutes,” Trend Micro says.

As of October 2024, the threat actor had created a botnet of over 20,000 devices from Cisco, DrayTek, Fritz!Box, Linksys, Netgear, Synology, Tenda, Western Digital, and Zyxel, all of which were infected with the Ngioweb malware.

“At the time of writing, Water Barghest deploys about 17 workers on virtual private servers (VPS) that continuously scan routers and IoT devices for known vulnerabilities. The same workers are also used to upload Ngioweb malware to freshly compromised IoT devices,” Trend Micro notes.

Initially observed in 2018, when it was targeting Windows systems, Ngioweb started targeting Linux computers in 2019, and switched focus to IoT devices in 2020. A new variant of Ngioweb was seen this year.

Advertisement. Scroll to continue reading.

According to Trend Micro, Water Barghest’s activity was uncovered after the threat actor started targeting a zero-day in Cisco IOS XE devices in October last year from the same infrastructure it had been using for years in previous attacks.

The cybersecurity firm also points out that mid-sized proxy botnets such as Water Barghest’s typically remain active for years due to automation and refinements that help them evade detection.

As both APTs and financially motivated groups will continue using third-party IoT botnets and commercially available residential proxy services for anonymization and espionage, the demand for these botnets will likely increase.

Related: Discontinued GeoVision Products Targeted in Botnet Attacks via Zero-Day

Related: Organizations Warned of Critical Vulnerabilities in NetModule Routers

Related: C&C Panels of 10 IoT Botnets Compromised by Researchers

Related: Critical Vulnerabilities Expose ​​Weintek HMIs to Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

SSH Communications Security has appointed Pauli Haikonen as the company’s Chief Information Security Officer (CISO).

Cloud and container security firm Sysdig has tapped William Welch as CEO on its path to an IPO.

Dave Scher has been promoted to Deputy Chief Information Officer at MITRE.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.