_JIRAROJ_PRADITCHAROENKUL_Alamy.jpg?disable=upscale&width=1200&height=630&fit=crop)
November 20, 2024 at 09:39AM
The cybercriminal group “Water Barghest” exploits vulnerabilities in IoT devices to create proxy botnets, already compromising over 20,000 devices. Using automated scripts and proprietary malware, they sell these devices on a residential proxy marketplace. This poses significant security challenges, prompting the need for enhanced IoT protection measures.
**Meeting Takeaways:**
1. **Cybercriminal Activity Overview:**
– The group known as “Water Barghest” exploits vulnerabilities in IoT devices, compromising over 20,000 devices, primarily SOHO routers.
– They utilize automated scripts to locate and exploit these vulnerabilities, drawing on public databases like Shodan.
2. **Operational Mechanism:**
– Compromised devices are registered as proxies using proprietary malware named Ngioweb.
– Water Barghest sells these devices on a residential proxy marketplace, facilitating further malicious activities by other actors.
3. **Efficiency of Operations:**
– The entire process of taking control of an IoT device and listing it for sale can be completed in approximately 10 minutes, indicating a highly automated operation.
4. **Profit Motive and Threat Landscape:**
– Both espionage and financially motivated actors have a vested interest in using proxy botnets, which can obscure their activities and launch cyberattacks. Notable groups like Russia’s Sandworm have utilized similar methods.
– Threat actors can easily identify and exploit IoT devices with known vulnerabilities through open Internet scanning services.
5. **Discovery and Investigation:**
– Trend Micro uncovered Water Barghest while investigating a Russian military intelligence botnet previously used for cyber espionage.
– Their operation remained under the radar due to advanced operational security practices and automation, including the manipulation of log files to hinder forensic analysis.
6. **Botnet Infrastructure:**
– Water Barghest operates with around 17 identities on virtual private servers, constantly scanning for vulnerable IoT devices and deploying Ngioweb malware.
7. **Market Trends:**
– The demand for both legitimate and underground residential proxy services is expected to increase, posing challenges for enterprises and government organizations to protect their infrastructures.
8. **Recommendations for Organizations:**
– To mitigate risks, organizations should enhance the security of their IoT devices by limiting their exposure to the open Internet, safeguarding their infrastructure from being exploited by malicious actors.