A Russian operated botnet known as RSOCKS has been shut down by the US Department of Justice acting with law enforcement partners in Germany, the Netherlands and the UK. It is believed to have compromised millions of computers and other devices around the globe.
The RSOCKS botnet functioned as an IP proxy service, but instead of offering legitimate IP addresses leased from internet service providers, it was providing criminals with access to the IP addresses of devices that had been compromised by malware, according to a statement from the US Attorney’s Office in the Southern District of California.
It seems that RSOCKS initially targeted a variety of Internet of Things (IoT) devices, such as industrial control systems, routers, audio/video streaming devices and various internet connected appliances, before expanding into other endpoints such as Android devices and computer systems.
The DoJ said that the RSOCKS botnet operators managed to compromise target devices simply by conducting brute force attacks rather than taking advantage of any software security vulnerabilities.
Security experts and analysts have been warning for many years about the threat posed by IoT devices, especially those aimed at consumers who are unlikely to know or care much about security settings or applying software updates as soon as possible, although even large corporations have been known to get careless too.
According to the DoJ, cybercriminals who wanted to use the RSOCKS platform could simply access a web-based storefront which allowed them to pay for access to a pool of proxies for a specified time period, with prices ranging from $30 per day for access to 2,000 proxies to $200 per day for access to 90,000 proxies.
The RSOCKS website now bears a statement saying that the site has been seized by the FBI in accordance with a seizure warrant obtained by the DoJ and the US Attorney’s Office, but an archive copy of the website available on the Wayback Machine internet archive shows that it did look like just another proxy service storefront.
The DoJ believes that users of RSOCKS were conducting various illicit activities, including attacks against authentication services via credential stuffing, or sending malicious email such as phishing messages.
It appears that FBI investigators used the simple tactic of purchasing access to RSOCKS in order to get inside and identify its backend infrastructure and its victims. The initial undercover operation was as far back as 2017 and identified approximately 325,000 compromised devices throughout the world.
According to the DoJ, victims of the RSOCKS botnet included a number of large public and private organizations, including a university, a hotel, a television studio, and an electronics manufacturer, as well as home businesses and numerous individuals. ®