Sock it to ‘em

Russian botnet 'RSOCKS' dismantled after hacking millions of devices

US law enforcement has dismantled infrastructure used by a Russian botnet responsible for compromising millions of computers and internet-connected devices worldwide.

Cybercrooks have previously paid the ‘RSOCKS’ botnet to leverage hacked devices to carry out large-scale credential stuffing attacks, whereby stolen login credentials are automatically fed into online login pages.

According to a US Department of Justice (DoJ) press release published yesterday (June 16), they also used the commandeered IP addresses to anonymize themselves when accessing compromised social media accounts or sending malicious phishing emails.

Flexible pricing

The RSOCKS botnet rented out the compromised devices’ IP addresses to cybercriminals at daily, weekly, and monthly rates via an internet clear web – as opposed to dark web – website.

‘Customers’ were charged between $30 per day for access to a pool of 2,000 proxy computers and $200 per day for access to 90,000 proxies, said the DoJ.

Catch up on the latest cybercrime news

An investigation, which also involved law enforcement agencies in the UK, Germany, and Netherlands, determined that the attackers used brute-force attacks – an umbrella term for trial-and-error account takeover techniques – to compromise devices.

Victim organizations have included a university, a hotel, a television studio, and an electronics manufacturer, as well as home businesses and individuals, said the DoJ.

The DoJ said the botnet initially targeted Internet of Things (IoT) devices and later diversified into hacking Android devices and desktop computers.

Undercover purchase

The infrastructure used to power the botnet was taken down after an undercover FBI operation to purchase from the nefarious site in 2017. This transaction identified around 325,000 compromised devices worldwide.

With the victims’ consent, investigators replaced compromised devices with government-controlled ‘honeypot’ computers at three locations and all three were subsequently compromised by RSOCKS, according to the DoJ.

“Cybercriminals will not escape justice regardless of where they operate,” said US attorney Randy Grossman. “Working with public and private partners around the globe, we will relentlessly pursue them while using all the tools at our disposal to disrupt their threats and prosecute those responsible.”

FBI special agent in charge Stacey Moy said: “This operation disrupted a highly sophisticated Russia-based cybercrime organization that conducted cyber intrusions in the United States and abroad.

“Our fight against cybercriminal platforms is a critical component in ensuring cybersecurity and safety in the United States. The actions we are announcing today are a testament to the FBI’s ongoing commitment to pursuing foreign threat actors in collaboration with our international and private sector partners.”

RELATED Dark web awash with breached credentials, study finds