Full Report
The criminal proxy network infected thousands of IoT and end-of-life devices, creating dangerous botnet
Analysis Summary
# Tool/Technique: Criminal Proxy Network (IoT Botnet)
## Overview
A criminal proxy network that infects vulnerable Internet of Things (IoT) and end-of-life (EoL) devices, converting them into a botnet infrastructure used to provide anonymized proxy services for malicious users. The operation was tracked by Lumen's Black Lotus Labs in cooperation with international law enforcement agencies.
## Technical Details
- Type: Malware/Botnet Infrastructure
- Platform: IoT and SOHO (Small Office/Home Office) devices, likely running embedded Linux or similar systems.
- Capabilities: Provides low-cost, anonymized proxy-for-rent services; evades authentication; routes traffic for malicious activities.
- First Seen: Tracked over the past year (as of the article date: May 12, 2025).
## MITRE ATT&CK Mapping
Since the provided text focuses on the infrastructure setup and exploitation rather than a specific execution command or payload for a traditional endpoint, the mappings focus on the exploitation and C2/resource utilization aspects:
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol
- T1071.004 - DNS (While not explicitly mentioned, proxies often rely on DNS for resolution)
- **TA0008 - Lateral Movement** (If the proxies are used for further internal network browsing/attacks)
- T1090 - Proxy
- T1090.001 - Internal Proxy (Implied usage to hide subsequent actions)
- **TA0010 - Exfiltration** (If sensitive data is harvested via the network traffic routed through the proxies)
- T1041 - Exfiltration Over C2 Channel (Traffic rerouted through the proxy service)
## Functionality
### Core Capabilities
- **Device Recruitment:** Exploits unprotected or outdated IoT/SOHO devices lacking security updates to achieve persistent infection and inclusion in the botnet.
- **Proxy Service Provision:** Turns compromised devices into accessible proxy nodes.
- **Anonymity:** Routes malicious user traffic through the victim devices, obscuring the true source of the attack.
### Advanced Features
- **Open Access:** Crucially, the service requires **no authentication**; access is available to anyone locating the correct compromised IP and port combination.
- **Operational Hub:** The primary infrastructure appears to be based in Turkey, consisting of five servers, one of which silently collects data using UDP.
- **Scale:** Demonstrated a high volume, averaging 1000 active proxies weekly across more than 80 countries.
## Indicators of Compromise
- File Hashes: [Not provided in context]
- File Names: [Not provided in context]
- Registry Keys: [Not provided in context]
- Network Indicators: [C2 servers, domains - defanged]
- Data Collection Node: Uses **UDP** protocol for silent data collection.
- Traffic Routing: Involves exposing compromised device **IPs and Ports** for unauthenticated access.
- Behavioral Indicators:
- Devices acting as open, unauthenticated proxies.
- High volume of outbound traffic originating from vulnerable IoT devices.
## Associated Threat Actors
- Threat actors involved in **Ad Fraud**, **DDoS attacks**, and **Brute-force credential stuffing** are known users of this proxy service.
- The network infrastructure itself was allegedly operated by criminal entities, tracked by Lumen Black Lotus Labs, US DOJ, FBI, and Dutch National Police involvement.
## Detection Methods
- Signature-based detection: [Not specified, but would rely on identifying the specific malware implant on the IoT devices]
- Behavioral detection: Detecting unusual outbound traffic patterns or unrecognized port listening services on IoT devices.
- YARA rules: [Not provided in context]
## Mitigation Strategies
- **Patching/Updates:** Immediately apply security updates to all IoT and SOHO devices, especially those labeled as end-of-life (EoL) if they remain connected to the network.
- **Network Segmentation:** Isolate IoT devices (especially legacy/EoL ones) onto a separate network or VLAN to restrict lateral movement potential if compromised.
- **Access Control:** Ensure strong access controls (even if the vulnerability is unpatched exploitation, minimizing exposure helps).
- **Monitoring:** Implement network monitoring to detect abnormal traffic volume or unexpected external connections originating from internal IoT segments.
## Related Tools/Techniques
- Similar infrastructure setup to known proxy botnets like **Mirai** or **Gafgyt**, which target outdated devices, though the specific infection vectors and functionality might differ.
- Use of compromised hosts for **Proxy Chaining** to conduct credential stuffing and ad fraud.