Water Barghest Operates Large IoT Botnet for Cybercrime
/ 4 min read
Quick take - Water Barghest, a cybercriminal group operating a botnet of over 20,000 compromised Internet of Things devices, automates the exploitation of vulnerabilities to monetize access through a residential proxy marketplace, utilizing advanced malware and techniques to evade detection and maintain operational security.
Fast Facts
- Water Barghest is a cybercriminal group operating a botnet of over 20,000 compromised IoT devices, monetizing them through a residential proxy marketplace.
- The group automates the exploitation of vulnerabilities using scripts and public databases, deploying Ngioweb malware to register devices as proxies within 10 minutes.
- Their operations have parallels with other notorious proxy botnets and have been linked to espionage campaigns targeting government organizations globally.
- Water Barghest has exploited significant vulnerabilities, including a zero-day in Cisco IOS XE devices, and utilizes cryptocurrency for transactions in their proxy marketplace.
- Experts stress the importance of securing IoT devices to prevent exploitation, with resources like threat intelligence reports and YARA rules available for cybersecurity professionals.
Water Barghest: A Sophisticated Cybercriminal Group
Water Barghest, a sophisticated cybercriminal group, operates a botnet consisting of over 20,000 Internet of Things (IoT) devices as of October 2024. This group monetizes compromised IoT devices by exploiting their vulnerabilities and selling access through a residential proxy marketplace.
Exploitation and Automation
The exploitation process is highly automated, utilizing scripts that identify and compromise vulnerable devices sourced from public internet scan databases like Shodan. Once an IoT device is compromised, the group deploys the Ngioweb malware, which operates in memory and connects to command-and-control servers to register the device as a proxy. Remarkably, the entire infection to availability process can occur in as little as 10 minutes.
Proxy botnets, such as Water Barghest’s, serve as anonymization layers, offering geolocated IP addresses for various activities including web scraping and cyber-attacks. The group’s activities have parallels with other notorious proxy botnets associated with advanced persistent threat (APT) actors, such as VPNFilter and Cyclops Blink, both of which were disrupted by the FBI. Notably, the SOHO botnet, allegedly linked to Beijing Integrity Technology Group, was also disrupted by the FBI in September 2024.
Espionage and Operational Security
Water Barghest’s operations were initially connected to research on the Pawn Storm APT actor. This group has utilized Ubiquiti EdgeRouter devices in espionage campaigns, including spear-phishing attacks directed at government organizations worldwide. The FBI attempted to disrupt Pawn Storm’s router botnet in January 2024, uncovering traces of espionage campaigns and Water Zmeu malware on compromised EdgeRouter devices.
Despite maintaining a low profile for over five years, Water Barghest’s operational security and automation have allowed it to evade significant media scrutiny. In October 2023, the group exploited a zero-day vulnerability affecting Cisco IOS XE devices, impacting tens of thousands of routers. The discovery of Water Barghest’s operations was facilitated by ongoing research into Pawn Storm, indicating a broader landscape of cyber threats.
Evolving Threat Landscape
The group has perfected the automation of finding, exploiting, and monetizing IoT devices, acquiring vulnerabilities through n-day exploits and at least one zero-day exploit. They employ virtual private servers (VPS) to continuously scan for known vulnerabilities in IoT devices. The Ngioweb malware has evolved over the years, initially targeting Windows systems before shifting its focus towards IoT devices in 2020. This malware has been associated with various device brands, including Cisco, DrayTek, Fritz!Box, Linksys, Netgear, Synology, Tenda, Western Digital, and Zyxel.
The residential proxy marketplace utilized by Water Barghest only accepts cryptocurrency payments, reflecting the evolving nature of cybercrime. Ngioweb bots connect to datacenter IP addresses associated with this marketplace for routing traffic. As demand for residential proxy services grows, particularly among APT actors and cybercriminals, securing IoT devices becomes increasingly crucial to prevent exploitation and inclusion in malicious operations.
Experts emphasize the importance of not exposing IoT devices to incoming internet connections unless absolutely necessary. Trend Micro has begun offering threat intelligence reports and insights to assist customers in preparing for and responding to emerging threats. Indicators of compromise (IOCs) related to Ngioweb malware are available for detection and analysis. Additionally, YARA rules for identifying Ngioweb samples focus on known AES keys and other characteristics of the malware, providing further tools for cybersecurity professionals in the ongoing battle against sophisticated cyber threats.
Original Source: Read the Full Article Here
