The U.S. Department of Justice (DOJ) recently announced the success of a cyber operation which aimed to take out a prominent Russian botnet known as RSOCKS.
Law enforcement authorities from Germany, the Netherlands, and the United Kingdom all played a role in disrupting the operations of the botnet, which hacked millions of devices around the world.
The DOJ says RSOCKS initially targeted Internet of Things (IoT) devices such as industrial control systems, time clocks, routers, audio/video streaming devices, and smart garage door openers, though it expanded to targeting additional types of devices including conventional computers.
RSOCKS' operations were discussed in a statement provided by the DOJ:
"The RSOCKS botnet offered its clients access to IP addresses assigned to devices that had been hacked. The owners of these devices did not give the RSOCKS operator(s) authority to access their devices in order to use their IP addresses and route internet traffic.
A cybercriminal who wanted to utilize the RSOCKS platform could use a web browser to navigate to a web-based 'storefront' (i.e., a public web site that allows users to purchase access to the botnet), which allowed the customer to pay to rent access to a pool of proxies for a specified daily, weekly, or monthly time period. The cost for access to a pool of RSOCKS proxies ranged from $30 per day for access to 2,000 proxies to $200 per day for access to 90,000 proxies."
After purchasing access, the customer could download a list of IP addresses associated with one of the botnet's backend servers. They could then route malicious internet traffic through the compromised device, hiding the true source of traffic
The DOJ believes that RSOCKS users were conducting credential stuffing attacks, allowing them to remain anonymous when accessing compromised social media accounts, or sending malicious emails such as phishing messages.
The FBI used undercover purchases to gain access to the botnet and identify its infrastructure and victims. After gaining initial access in 2017, the FBI identified 325,000 compromised devices with a majority of them located in San Diego, California.
The DOJ continues:
"Through analysis of the victim devices, investigators determined that the RSOCKS botnet compromised the victim device by conducting brute force attacks. The RSOCKS backend servers maintained a persistent connection to the compromised device. Several large public and private entities have been victims of the RSOCKS botnet, including a university, a hotel, a television studio, and an electronics manufacturer, as well as home businesses and individuals. At three of the victim locations, with consent, investigators replaced the compromised devices with government-controlled computers (i.e., honeypots), and all three were subsequently compromised by RSOCKS."
For more information, read the entire statement from the DOJ.