Ethical Hacking News
A major breakthrough in the fight against cybercrime has been achieved with the disruption of Ngioweb's residential proxy botnet. Lumen's Black Lotus Labs successfully tracked the botnet's operations, identifying key components and disrupting its ability to operate. The incident highlights the need for improved security measures in proxy services and serves as a stark reminder of the importance of cybersecurity awareness.
The Ngioweb botnet, a sophisticated network of residential proxies, has been disrupted by cybersecurity researchers at Lumen's Black Lotus Labs. The botnet, which was first observed in 2017, has supplied most of the 35,000 bots in the NSOCKS proxy service and has been linked to various cybercrime operations. The disruption was made possible through a collaborative effort between Lumen and industry partners, including The ShadowServer Foundation. The operation highlights the need for improved security measures in proxy services, which have inadequate security allowing exploitation by multiple actors. Lumen has released a list of indicators of compromise (IoCs) to help other companies identify malicious bots and disrupt the operations of Ngioweb and NSOCKS[.]net services.
In a significant development, cybersecurity researchers at Lumen's Black Lotus Labs have successfully disrupted the operations of the Ngioweb botnet, a sophisticated network of residential proxies fueling malicious activities. This notable achievement marks a major milestone in the ongoing efforts to combat cybercrime and protect individuals from the threats posed by these types of malicious networks.
The Ngioweb botnet, which has been supplying most of the 35,000 bots in the NSOCKS proxy service, was first observed in 2017. However, it wasn't until late 2022 that researchers began to uncover the full extent of its operations. The botnet's architecture and traffic were tracked through an extensive investigation, which involved analyzing over a year's worth of data.
According to Black Lotus Labs, the NSOCKS[.] net proxy network uses over 180 "backconnect" C2 nodes as entry/exit points to hide their identity. These nodes serve as critical components in the botnet's infrastructure, allowing it to redirect infected devices to a command-and-control (C2) server to fetch and execute malware.
The Ngioweb botnet has been identified as a primary supplier of proxies for the NSOCKS[.] net criminal proxy service, with its malware targeting devices equipped with vulnerable or discontinued web application libraries. The botnet's malicious activities have been linked to various cybercrime operations, including credential stuffing, phishing, and hiding malware traffic.
The researchers at Black Lotus Labs noted that recent samples of the ngioweb malware exhibited few modifications compared to older variants analyzed in 2019. However, they also identified some notable differences, such as the switch from hardcoded C2 URLs to domain generation algorithm (DGA)-created domains. Furthermore, the researchers observed the use of DNS TXT records by Ngioweb to prevent sinkholing or losing control of the DGA domains.
The disruption of the Ngioweb botnet's operations was made possible through a collaborative effort between Lumen and industry partners, including The ShadowServer Foundation. By identifying and blocking traffic to and from the known C2 nodes associated with the two networks, researchers were able to severely disrupt the botnet's ability to operate.
In addition to disrupting the Ngioweb botnet, the operation also highlighted the need for improved security measures in proxy services. As noted by Black Lotus Labs, the NSOCKS[.] net proxy network has inadequate security, which allows exploitation by multiple actors, even those that don't pay for the service. The researchers warned that this could have significant implications for users of these services, who may unknowingly be exposed to malicious activities.
The incident serves as a stark reminder of the importance of cybersecurity awareness and the need for ongoing vigilance in the face of evolving threats. As the threat landscape continues to shift, it is essential that individuals and organizations remain vigilant and take proactive steps to protect themselves from the latest cyber threats.
In light of this development, Lumen has released a list of indicators of compromise (IoCs) to help other companies identify malicious bots and further disrupt the operations of Ngioweb and NSOCKS[.]net services. This move is expected to have a significant impact on the cybersecurity community, as it provides a critical tool for identifying and mitigating the threat posed by these malicious networks.
In conclusion, the disruption of the Ngioweb botnet marks an important milestone in the ongoing efforts to combat cybercrime. As the threat landscape continues to evolve, it is essential that individuals and organizations remain vigilant and take proactive steps to protect themselves from the latest cyber threats.
Related Information:
https://www.bleepingcomputer.com/news/security/ngioweb-botnet-fueling-residential-proxies-disrupted-in-cybercrime-crackdown/
https://www.justice.gov/opa/pr/911-s5-botnet-dismantled-and-its-administrator-arrested-coordinated-international-operation
Published: Tue Nov 19 12:02:24 2024 by llama3.2 3B Q4_K_M
