- Your TV's USB port has an invaluable feature you should use during internet outages
- Save almost 40% on the HP Victus 15L gaming desktop
- VMware Product Release Tracker (vTracker)
- You could get $10K from 23andMe's data breach - how to file a claim today
- I finally found a thermal camera that's accurate - and I keep finding new uses for it
Criminal Proxy Network Infects Thousands of IoT Devices
A criminal proxy network has been found infecting thousands of Internet of Things (IoT) and end-of-life (EoL) devices, converting them into part of a botnet that provides anonymity for malicious users online.
The network, tracked over the past year by Lumen’s Black Lotus Labs in cooperation with the US Department of Justice, the FBI and the Dutch National Police, exploits outdated residential devices to create a network of proxies.
The infrastructure is primarily based in Turkey and consists of five servers, one of which appears to collect data silently using UDP.
How the Proxy Network Works
The botnet targets unprotected IoT and SOHO devices, many of which are no longer supported with security updates. Lumen telemetry showed an average of 1000 active proxies each week across more than 80 countries, with the highest concentration of victims in the US, followed by Ecuador and Canada.
Devices infected by this malware become part of a proxy-for-rent service. Users can purchase temporary access to these devices, gaining the ability to route traffic through them anonymously.
Crucially, no authentication is required, meaning open access is available to anyone who locates the correct IP and port. Malicious activities supported by this system include:
The infected devices allow cyber-criminals to blend in with legitimate residential traffic. Only about 10% of these proxies are flagged as malicious by tools like VirusTotal.
Though the operators claim over 7000 active proxies daily, Lumen estimates that number is exaggerated. Nevertheless, the service’s stability and global footprint continue to pose challenges for defenders.
Law Enforcement Disruption
Lumen and law enforcement partners have successfully disrupted the network’s known command-and-control infrastructure by null routing traffic through Lumen’s backbone. Still, the sheer volume of vulnerable devices ensures that threats like this will persist.
“Anonymity is the key to success for criminals of all stripes,” the researchers noted. “This group maintained a low profile to avoid detection, but […] they abuse equipment that has aged out of the vendor support lifecycle and cannot be patched or protected”.
To help prevent similar abuses, security professionals recommend:
-
Monitoring for abnormal login attempts from residential IPs
-
Blocking known open proxy addresses
-
Replacing EoL devices and ensuring routers are correctly updated and secured
Black Lotus Labs said it will continue to share intelligence with global partners and called for proactive monitoring of indicators of compromise related to similar networks.
