March 26, 2024 at 02:42PM
Lumen Technologies’ Black Lotus Labs discovered a 40,000-strong botnet comprised of end-of-life routers and IoT devices, used by a cybercriminal group to power the Faceless proxy service. The botnet, in operation since 2014, has grown to 40,000 bots from 88 countries. Researchers urge network defenders to watch for attacks on weak credentials and to protect cloud assets.
Based on the meeting notes, it is clear that Lumen Technologies’ Black Lotus Labs has identified a significant threat in the form of a large botnet comprised of end-of-life routers and IoT devices. The botnet, known as Faceless, is being used by a notorious cybercriminal group to grow a proxy service, with rapid weekly user acquisition rates. The group has been observed targeting specific router models, such as ASUS routers, in a campaign that spans multiple countries.
The Black Lotus Labs researchers have warned that the botnet is an integral tool for cybercriminals and that the deliberate targeting of end-of-life IoT devices is facilitated by unpatched security vulnerabilities and lack of manufacturer support. It is suggested that the operators behind the botnet enrol compromised devices into the Faceless proxy service, using them to facilitate cybercriminal activity while bypassing geofencing and ASN-based blocking.
The researchers’ recommendations for corporate network defenders include monitoring for weak credentials and suspicious login attempts, blocking communication between cloud assets and botnets attempting password spraying attacks, and using Web Application Firewalls to block Indicators of Compromise (IoCs).
Additionally, related disruptions by the FBI and US government of similar botnets controlled by different groups, as well as the use of decoy systems by AWS to disrupt APTs and botnets, indicate a broader ongoing effort to address these types of cyber threats. This information emphasizes the severity and persistence of the issue and the importance of proactive defense measures.