Overview and final thoughts
Over the years, medium-sized proxy botnets have operated without disruption and scrutiny. Instances include the botnets linked with the Water Barghest and Water Zmeu intrusion collections. The perpetrator groups orchestrating these intrusion sets have refined their configurations and greatly automated their processes. Some of these botnets eventually garnered the attention of the security sector. Water Barghest, for instance, gained notoriety due to leveraging its infrastructure to execute a zero-day attack against Cisco IOS XE devices, infecting tens of thousands of routers in October 2023. In the case of Water Zmeu, the use of this criminal botnet by APT actor Pawn Storm for espionage prompted the FBI to dismantle the router botnet affiliated with Water Zmeu. Upon the completion of our investigation on Water Barghest’s actions, we were made aware of a blog release from LevelBlue that partially parallels our discoveries.
APT actors have also deployed dedicated IoT botnets for prolonged periods before facing disruptions from the FBI and other collaborating entities. Both APT and financially motivated actors will persist in establishing their IoT botnets for anonymity and espionage objectives. They will also depend on third-party botnets or readily available residential proxy services.
We anticipate significant growth in both the commercial market for residential proxy services and the underground proxy market in the forthcoming years, driven by the high demand from APT actors and cybercriminal groups. Shielding against these anonymization layers poses a challenge for numerous enterprises and governmental bodies globally. While court-sanctioned interruptions of proxy botnets may impede malicious activities to an extent, it is more effective to address the root cause of the issue: securing IoT devices remains critical, and when feasible, these devices should be shielded from inbound connections originating from the public internet.
Whenever an IoT device accepts incoming connections from the public internet, commercial scanning services promptly detect them online, providing malicious actors access through purchased or stolen access to these scanning services. Leveraging internet scanning data, the automated scripts of malevolent actors can swiftly exploit known vulnerabilities, including possibly zero-day exploits, against the exposed IoT devices. In the case of Water Barghest, it was observed that the time lapse between exploiting an IoT device and offering it for sale on a residential proxy marketplace can be as short as 10 minutes. Hence, it is imperative to limit the exposure of IoT devices to incoming internet connections unless absolutely necessary, and implement measures to prevent their infrastructure from becoming part of the issue itself.
Trend Micro Vision One Cyber Threat IntelligenceÂ
To outpace evolving threats, Trend Micro users can access a diversified range of Intelligence Reports and Threat Insights through Trend Micro Vision One. Threat Insights enables users to foresee cyber threats beforehand and be better equipped to counter emerging threats. It furnishes comprehensive insights on threat actors, their malevolent actions, and the methodologies they employ. By harnessing this intelligence, users can proactively fortify their environments, mitigate risks, and respond adeptly to threats.
Utilize Trend Micro Vision One Intelligence Reports App for [IOC Sweeping]
Assortment of Ngioweb IoCs utilized in Water Barghest Operations
Leverage Trend Micro Vision One Threat Insights App
Malevolent Entities:Â Water Barghest
Upcoming Threats: Water Barghest’s Swift Exploit-to-Market Tactic for IoT Devices
Tracking QueriesÂ
Access Trend Micro Vision One Search App
Trend Micro Vision One Customers can employ the Search App to align or track the malicious indicators referenced in this blog post with the data within their domain.
Identification of Ngioweb Malicious Software
malName:*NGIOWEB* AND eventName:MALWARE_DETECTIONÂ
Additional tracking queries are accessible for Vision One customers with Threat Insights Entitlement enabled.
Signals of Compromise (SOCs)
View the entirety of SOCs here. For domains generated through DGA, kindly consult this GitHub repository.
YARA regulations
Given the high obfuscation of Ngioweb samples, a straightforward approach is to seek known AES keys in the .data segment. There might be instances where samples lack section headers. In such scenarios, scanning for the AES key across the entire binary (or in a loadable segment) suffices. Some samples exhibit an AES KEY c91795b59248562e44d6c07526c7ab89dfe45344293703a94a3ae5ff02eab5a4, which we presume could be part of a test; hence, they are excluded from our SOC list. The YARA regulations can be accessed here.
About Author
