Operation Moonlander: Dismantling the Botnet Behind Anyproxy and 5socks Cybercrime Services
TL;DR
- Operation Moonlander successfully dismantled a 20-year-old botnet linked to Anyproxy and 5socks.
- Four suspects, including three Russians, were indicted for running illegal proxy networks.
- The botnet exploited older routers worldwide, earning $46 million through proxy services.
Main Content
International Operation Dismantles 20-Year-Old Botnet
Law enforcement agencies have successfully dismantled a 20-year-old botnet tied to Anyproxy and 5socks as part of an international operation codenamed Operation Moonlander. Four men, including three Russians, were indicted for running the illegal proxy networks.
The U.S. Justice Department charged Russian nationals Alexey Viktorovich Chertkov, Kirill Vladimirovich Morozov, Aleksandr Aleksandrovich Shishkin, and Kazakhstani national Dmitriy Rubtsov with conspiracy and damage to protected computers. These individuals were accused of maintaining, operating, and profiting from Anyproxy and 5socks services.
Global Collaboration
The operation involved collaboration between the U.S. authorities, the Dutch National Police, the Netherlands Public Prosecution Service, the Royal Thai Police, and cybersecurity firm Lumen Technologies’ Black Lotus Labs.
Botnet Operations
The botnet was created by infecting older-model wireless internet routers worldwide with malware, allowing unauthorized access and reconfiguration. These routers were then sold as proxy servers on Anyproxy.net and 5socks.net.
Financial Gains
Court documents revealed that 5socks.net sold over 7,000 proxies globally, charging between $9.95 and $110 per month, earning a total of $46 million by exploiting infected routers via the Anyproxy botnet.
Legal Actions
Operating since 2004, the site falsely claimed identities to register domains. Chertkov and Rubtsov face additional charges for false domain registration. FBI agents in Oklahoma discovered malware on residential and business routers without users’ knowledge.
Botnet Impact
Researchers at Black Lotus Labs Lumen found an average of 1,000 unique bots weekly contacting command and control (C2) servers in Turkey. Most victims were in the U.S., followed by Canada and Ecuador. The botnet operators allowed cryptocurrency payments, targeting IoT and SOHO devices.
Technical Details
The botnet offered a “Rent-a-Proxy” service, where users could buy access to IP:port combinations for 24 hours without authentication. This system enabled a broad range of malicious activities, including ad fraud, DDoS attacks, brute force attacks, and data exploitation.
Security Threats
Proxy services continue to present a direct threat to internet security by allowing malicious actors to hide behind unsuspecting residential IPs. The vast number of end-of-life devices in circulation provides a massive pool of targets for such actors.
FBI Alert
The FBI released a FLASH alert warning about 5Socks and Anyproxy malicious services targeting end-of-life (EOL) routers. Attackers exploit vulnerabilities in these devices to deploy malware and create botnets for various attacks or proxy services. The alert urges replacing compromised routers or preventing infection by disabling remote admin and rebooting.
Conclusion
The dismantling of the Anyproxy and 5socks botnet highlights the ongoing threat of cybercrime and the importance of international cooperation in combating such activities. As the internet of things (IoT) continues to grow, the need for robust security measures becomes increasingly critical.
For more details, visit the full article: source
Additional Resources
For further insights, check: