The Federal Bureau of Investigation (FBI) has joined forces with Dutch police and other worldwide partners. Together, they have aggressively pursued and dismantled the “Operation Moonlander” botnet operation. This week, authorities executed Operation Speedy Trial and seized two services: Anyproxy and 5Socks. Those services were based on compromised routers and were leveraged to commit a number of cybercrimes. Their websites have all since been replaced with notices that they were seized by the feds.
Anyproxy and 5Socks have both been running since 2004, taking advantage of the vulnerabilities in older wi-fi hotspot routers. These services were associated with affecting or instigating critical cybercrimes, like password spraying, distributed denial-of-service (DDoS) attacks, and ad fraud. Ryan English, a researcher at Black Lotus Labs, stated that both Anyproxy and 5Socks are “the same pool of proxies run by the same operators, just under a different name.”
The operation found that routers made up the majority of the botnet, specifically older models that are notoriously vulnerable. The conspirators were careful to target specific devices and successfully infected thousands of them. Instead, they just supervised these internet-connected devices right into a botnet that cybercriminals might use.
Recently, the Department of Justice (DOJ) announced an indictment against four individuals for allegedly operating Anyproxy and 5Socks. These defendants—Alexey Viktorovich Chertkov, Kirill Vladimirovich Morozov, Aleksandr Aleksandrovich Shishkin, and Dmitriy Rubtsov—live over the jurisdictional borders of the United States. They reportedly promoted the Anyproxy botnet as a residential proxy service on social media and cybercriminal forums.
In a statement from the indictment, it was noted that “conspirators acting through 5Socks publicly marketed the Anyproxy botnet as a residential proxy service on social media and online discussion forums, including cybercriminal forums.” This marketing strategy allowed customers to conduct their online activities anonymously while their traffic appeared to originate from the IP addresses of the compromised devices.
The services marketed access to the botnet, which was created to provide anonymity for future hackers online. The inquiry featured Spur, a firm focused on following proxy solutions online. This is indicative of just how deep the network behind this operation really goes.
Ryan English elaborated on the nature of the botnet, noting that “the bulk of the botnet were routers, all kinds of end-of-life make and models.” This demonstrates the magnitude of these exploited devices and just how advanced these attack campaigns have become in spreading malware across multiple device types.
The implications of such a botnet operation run well beyond just nasty individual cybercrimes. The FBI’s actions serve as a reminder of the ongoing threats posed by outdated technology and the importance of maintaining cybersecurity measures. Through these known vulnerabilities in legacy devices, cybercriminals have built networks of devices with the potential to cause global disruptions.
Leave a Reply