Fake certificates could be used to bypass authentication controls

Fake certificates could be used to bypass authentication controls

  

A vulnerability in Parse Server software has led to the discovery of an authentication bypass impacting Apple Game Center.

Parse Server is an open source project available on GitHub that provides push notification functionality for iOS, macOS, Android, and tvOS.

The software is a backend system compatible with any infrastructure able to run Node.js, the Express web application framework, and can be operated independently or with existing web applications.

Read more of the latest Apple security news

According to a security advisory published on June 17, a bug in Parse Server versions before 4.10.11/5.0.0/5.2.2 caused a validation issue in Apple Game Center.

Apple calls the Game Center its ‘social gaming network’. The platform includes leaderboards and real-time multiplayer play.

**Bypassing authentication**

Tracked as CVE-2022-31083 and issued a CVSS severity score of 8.6, the security issue is described as a scenario in which the authentication adapter for Apple Game Center’s security certificate is not validated.

“As a result, authentication could potentially be bypassed by making a fake certificate accessible via certain Apple domains and providing the URL to that certificate in an authData object,” the advisory reads.

Attack complexity is considered low and no privileges are required.

A fix has been issued in Parse Server 4.10.11/5.2.2. A new rootCertificateUrl property has been implemented in the software’s Apple Game Center auth adapter, which “takes the URL to the root certificate of Apple’s Game Center authentication certificate”.

If developers have not set a value in the authentication system, the new property defaults to the URL of the root certificate in use by Apple.

There is no workaround available. Furthermore, the advisory notes that it is also an Apple ecosystem developer’s responsibility to keep the root certificate up to date while using the Parse Server Apple Game Center auth adapter.

Game Center will receive a revised dashboard look complete with friends’ activities in iOS 16, set for release later this year.

“Improper validation could allow attackers to bypass authentication, making the server vulnerable to simple remote attacks,” Jake Moore, global cybersecurity advisor at ESET, told The Daily Swig.

“It’s not often that Apple misses the mark on a security feature but without the requirement of authentication, this is a potentially dangerous and even an easy attack. The best way to avoid this threat would be to quickly patch devices with the latest update.”

The Daily Swig has reached out to Apple and we will update if we hear back.

RECOMMENDED GhostTouch: Hackers can reach your phone’s touchscreen without even touching it

Severe Parse Server bug impacts Apple Game Center

Europol on Tuesday announced the dismantling of an organized crime group that dabbled in phishing, fraud, scams, and money laundering activities.
The cross-border operation, which involved law enforcement authorities from Belgium and the Netherlands, saw the arrests of nine individuals in the Dutch nation.
The suspects are men between the ages of 25 and 36 from Amsterdam, Almere, Rotterdam, and

Europol on Tuesday announced the dismantling of an organized crime group that dabbled in phishing, fraud, scams, and money laundering activities.

The cross-border operation, which involved law enforcement authorities from Belgium and the Netherlands, saw the arrests of nine individuals in the Dutch nation.

The suspects are men between the ages of 25 and 36 from Amsterdam, Almere, Rotterdam, and Spijkenisse and a 25-year-old woman from Deventer, according to a statement from the National Police Force.

Also confiscated as part of 24 house searches were firearms, ammunition, jewelry, designer clothing, expensive watches, electronic devices, tens of thousands of euros in cash, and cryptocurrency, the officials said.

"The criminal group contacted victims by email, text message and through mobile messaging applications," the agency noted. "These messages were sent by the members of the gang and contained a phishing link leading to a bogus banking website."

Unsuspecting who clicked on the link were tricked into entering their credentials that were subsequently stolen by the syndicate to fraudulently cash out several million euros from the victim's accounts with the help of money mules.

Additionally, some members of the group are said to have connections with drugs and possible firearms trafficking.

The bust comes less than a month after Europol, in collaboration with Australia, Belgium, Finland, Hungary, Ireland, Romania, Spain, Sweden, Switzerland, the Netherlands, and the U.S., took down the infrastructure associated with FluBot Android malware.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Europol Busts Phishing Gang Responsible for Millions in Losses

Comodo Antivirus 12.2.2.8012 has a quarantine flaw that allows privilege escalation. To escalate privilege, a low-privileged attacker can use an NTFS directory junction to restore a malicious DLL from quarantine into the System32 folder.

CVE-2022-34008: Download Free Antivirus Software | Get Complete PC Virus Protection

Iconic hot tub manufacturer addresses flaws that also apparently exposed numerous backend services

Iconic hot tub manufacturer addresses flaws that also apparently exposed numerous backend services

Vulnerabilities in the web interface of Jacuzzi’s SmartTub app could have enabled an attacker to view and potentially manipulate the personal data of hot tub owners, a security researcher claims.

As well as an Android or iOS app, SmartTub provides a module that sits within hot tubs providing status updates and fulfilling commands around setting water temperature, turning on water jets or lights, and so on – although there’s no suggestion this functionality was affected by the flaws.

Eaton Zveare managed to bypass Smarttub.io login pages to reach two admin panels intended for internal use only.

Read more of the latest internet of things security news

The issues have now been patched, although Zveare claimed he was not notified of the fixes, and that Jacuzzi failed to reply to most of his emails. Jacuzzi has yet to respond to our invitation to comment. We’ll update this article if and when they do.

According to the researcher, abuse of the vulnerabilities exposed first names, last names, and email addresses of users from around the world. In a technical write-up he warned: “It would be trivial to create a script to download all user information. It’s possible it’s already been done.”

**‘Staggering’**

The first admin panel was accessed after a login attempt using Zveare’s customer credentials returned an ‘unauthorized’ screen, but was briefly preceded – “blink and you’d miss it” – by a redirect to the admin panel captured with a screen recorder.

This security flaw fleetingly showed data related to multiple Jacuzzi brands in the US and beyond.

A JavaScript bundle for Smarttub.io’s single-page-application (SPA) revealed that usernames and passwords were sent to third-party authentication platform Auth0 for validation.

Zveare used the Fiddler tool to modify the HTTP response in order to masquerade in the admin role – giving him full access to the admin panel and a “staggering” amount of data.

“I could view the details of every spa, see its owner, and even remove their ownership”, he explained. “I could view every user account and even edit them”.

However, Zveare declined to risk testing “if any changes would actually save”.

**Backend services**

The login screen for the second admin console, while not Auth0-branded, “seemed” to accept his credentials but generated a JavaScript browser alert declining permission.

The corresponding JavaScript bundle featured the code for browser alert and check, and he noted that alongside the admin and user groups also visible on the first panel, the second panel featured admin tools and development groups.

DON’T MISS HID Mercury access control vulnerabilities leave door open to lock manipulation

With the help of Chrome Local Overrides functionality, the researcher loaded a modified JavaScript bundle file that forced , , and to return in all cases. “This way, I didn’t need to intercept the HTTP response each time to modify the groups,” said Zveare.

This revealed manufacturing logs, a serial number update section, and options to extend your cell (mobile) data subscription – “or shorten someone else’s” – and create, modify, and delete tub colors or models and licensed hot tub dealers.

**Fraught disclosure**

A lengthy disclosure process detailed by Zveare began with initial notification on December 3, which apparently failed to elicit a response.

Zveare sought Auth0’s help on January 4 and said the authentication vendor immediately reproduced the issue, contacted Jacuzzi, and discovered that the first admin panel had been shut down.

On June 4 he noticed the second admin panel had finally been secured and then disclosed the vulnerabilities on June 20.

“After multiple contact attempts through three different Jacuzzi/SmartTub email addresses and Twitter, a dialog was not established until Auth0 stepped in,” said Zveare.

“Even then, communication with Jacuzzi/SmartTub eventually dropped off completely, without any formal conclusion or acknowledgement they have addressed all reported issues.”

By contrast, the researcher thanked the Auth0 security team for helping out despite having no obligation to do so. “Without their assistance, this disclosure would probably have remained stalled,” he added.

RECOMMENDED Security researcher receives legal threat over patched Powertek data center vulnerabilities

Jacuzzi customer details could be exposed by SmartTub web bugs, claims researcher

The BRATA Android banking Trojan is evolving into a persistent threat with a new phishing technique and event-logging capabilities.

An Android-based banking Trojan known as BRATA (short for Brazilian RAT Android) has evolved to incorporate new phishing techniques and capabilities to acquire GPS, overlay, SMS, and device management permissions.  

The Italian mobile security company Cleafy reported in a blog post this week that these changes align with an advanced persistent threat (APT) pattern of activity.

"Threat actors behind BRATA now target a specific financial institution at a time, and change their focus only once the targeted victim starts to implement consistent countermeasures against them," the blog post explained. "Then, they move away from the spotlight, to come out with a different target and strategies of infections."

The new variant, which is targeting the EU region by posing as specific bank applications, can also now perform event logging through its ability to sideload a second-stage piece of malware from its command-and-control (C2) server.

**Ability to Bypass MFA**

The threat actors operating the new malware variant (BRATA.A) are also expanding their capabilities to include a methodology for potentially bypassing SMS-based multifactor authentication (MFA).

The updated phishing technique can mimic a targeted bank's login page, part of the group's strategy to acquire personal information to be used later for social-engineering purposes.

"Once installed, the pattern of the attack is similar to other SMS stealers," according to the blog post. "This consists in the malicious app asking the user to change the default messaging app with the malicious one to intercept all incoming messages."

Credential harvesting is common in banking Trojans and stealer malware, but bypassing MFA is a bit more complicated.

"This functionality, along with BRATA's ability to remain undetected for prolonged periods of time, could potentially classify the threat actors as an APT," says Nicole Hoffman, senior cyber threat intelligence analyst at Digital Shadows.

**BRATA Actors Thinking About Future Development**

From the perspective of John Bambenek, principal threat hunter at Netenrich, the ability to request additional permissions on the device indicates what the attackers are thinking as far as future development.

"Not all the new features are actively collecting and transmitting data to the attacker, but future updates can change that," he says. "The actors are spending real effort to make sure they can maximize their success. Banks are constantly evolving, so attackers must do so also."

He adds that because mobile malware is typically still just an app, consumers can protect themselves by only installing apps from approved app stores and be wary when apps are asking for banking credentials.

"Financial institutions need to invest in behavioral analytics to detect stolen credential use against their online presence to prevent fraud against their consumers," Bambenek says.

In a statement provided to Dark Reading, the Cleafy Threat Intelligence team notes BRATA's evolution suggests the threat actors plan to diversify their business model, and consequently its income.

Cleafy's hypothesis is that BRATA is sold as malware-as-a-service (MaaS) to different groups, since the firm is tracking many variants of this malware hitting different countries across the globe.

"It has been observed that they started refactoring part of the malware, in order to tailor it according to the requests of their customers," the statement reads.

**Evolution of a Trojan**

In January, Cleafy discovered the group behind BRATA manipulating Android's factory reset to prevent victims from discovering or reporting and preventing illicit wire transfers. At that point, the malware campaigns were targeting Italian banks.

During the last year, BRATA was delivered through sideloading techniques, not through the official Google Play Store.

Cleafy recommends users pay particular attention to downloading apps from untrusted websites or whenever SMS is required to install an application.

"However, considering the Android 13 restriction for sideloaded apps, we do not exclude that in the future BRATA will be also delivered through official stores, like other famous malware have been trying to do in recent months (e.g. Sharkbot, Teabot etc.)," the statement continues.

Kaspersky first discovered BRATA in 2019 when it was simply spyware and targeted at users in Brazil.

BRATA Android Malware Evolves Into an APT

By Deeba Ahmed
The hackers behind Rsocks botnet used the hacked IoT devices as proxy servers where its customers would pay…
This is a post from HackRead.com Read the original post: Feds Dismantle Russian Rsocks Botnet Powered by Millions of IoT Devices

****The hackers behind Rsocks botnet used the hacked IoT devices as proxy servers where its customers would pay them for using the device’s IP address while the device owner remained unaware of the exploitation.****

The US Department of Justice (DoJ) seized and dismantled a Russian botnet infrastructure, the operators of which hijacked millions of devices across the globe to offer IP proxy service.

The prosecutors alleged that Rsocks was in use by an undisclosed, notorious Russian hacker(s) running a sophisticated cybercrime organization. The gang offered web proxy service after hacking into millions of IoT devices, computers, laptops, and Android smartphones.

**How did the Seizure happen?**

In a press release, the DoJ confirmed the involvement of law enforcement agencies from the UK, the Netherlands, and Germany in this operation launched in 2017 by the Federal Bureau of Investigation (FBI).

Seized Rsocks website

The bureau secretly purchased proxies from Rsocks to track its infrastructure and located at least 325,000 infected devices in the US. Prosecutors claimed that the botnet conducted cyber intrusions within the US and abroad.

**What are Proxy Servers?**

Proxy service operators provide access to IP addresses to interested users for a fee. Though not inherently illegal, the service manages to bypass censorship and access geo-restricted content for the user.

In the case of Rsocks’ botnet, the hackers used the devices as proxy servers. The customers would pay them for using the compromised devices’ IP address while the device owner remained unaware of the exploitation.

> “The owners of these devices did not give the RSOCKS operator(s) authority to access their devices in order to use their IP addresses and route internet traffic.”
> 
> Department of Justice

**A Botnet Comprising 8M Residential Devices**

As per the information shared by Rsocks on Twitter, the botnet had claimed 8 million residential devices and over a million mobile IPs. According to the prosecutors, Rsocks used brute force attacks to invade millions of devices and expand the botnet army illegally.

An archive copy of the now seized website

The operators not only victimized individuals and home businesses but also high-profile private and public entities, including a hotel, a university, a TV studio, and an electronics maker.

**How Was Rsocks Used?**

Reportedly, those intending to avail Rsocks proxies rented the access through an online storefront for different timelines and rates, ranging from $30/day for accessing 2,000 proxies to $200/day for 90,000 proxies.

After purchasing, the cybercriminals redirected malicious internet traffic via the IP addresses linked to the infected devices to hide their identity and launch various attacks such as credentials stuffing, hijacking social media accounts, or phishing messages.

This seizure comes just two weeks after the US authorities seized another illegal marketplace, SSNDOB, for stealing/selling the private data of around 24 million US citizens.

**More Botnet Seizure News**

*   Microsoft takes down largest botnet network “Necurs”
*   World’s Most ‘Resilient Malware’ Botnet Emotet Taken Down
*   The US jails Russian hacker for 8 years over botnet, bank fraud
*   Hacker disrupts Emotet botnet operation by replacing payload with GIFs
*   FBI Disrupts Cyclops Blink Botnet Used by Russian Intelligence Directorate

Feds Dismantle Russian Rsocks Botnet Powered by Millions of IoT Devices

RSOCKS commandeered millions of devices in order to offer proxy services used to mask malicious traffic.

A Russian botnet known as RSOCKS has been dismantled – but not before infecting millions of devices globally.

Like many botnets, RSOCKS initially targeted Internet of Things (IoT) devices, but it soon expanded to industrial control systems, Android devices, and PCs, according to the US Department of Justice (DoJ). Its specialty was providing cover for large-scale credential-stuffing attacks and other malicious activity by offering clients access to the IP addresses of these nodes for proxy purposes, according to the DoJ.

Via a Web-based “storefront,” users could rent access to a pool of proxies for a specified daily, weekly, or monthly time period, at prices ranging from $30 per day for access to 2,000 proxies to $200 per day for access to 90,000 proxies.

"The customer could then route malicious internet traffic through the compromised victim devices to mask or hide the true source of the traffic," according to the DoJ's statement on the RSOCKS takedown. "It is believed that the users of this type of proxy service were conducting large scale attacks against authentication services, also known as credential stuffing, and anonymizing themselves when accessing compromised social media accounts, or sending malicious email, such as phishing messages."

The DoJ worked with law enforcement in Germany, the Netherlands, and the United Kingdom to disrupt the botnet.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Feds Take Down Russian 'RSOCKS' Botnet

The operators behind BRATA have once again added more capabilities to the Android mobile malware in an attempt to make their attacks against financial apps more stealthy.
"In fact, the modus operandi now fits into an Advanced Persistent Threat (APT) activity pattern," Italian cybersecurity firm Cleafy said in a report last week. "This term is used to describe an attack campaign in which

The operators behind BRATA have once again added more capabilities to the Android mobile malware in an attempt to make their attacks against financial apps more stealthy.

"In fact, the modus operandi now fits into an Advanced Persistent Threat (APT) activity pattern," Italian cybersecurity firm Cleafy said in a report last week. "This term is used to describe an attack campaign in which criminals establish a long-term presence on a targeted network to steal sensitive information."

An acronym for "Brazilian Remote Access Tool Android," BRATA was first detected in the wild in Brazil in late 2018, before making its first appearance in Europe last April, while masquerading as antivirus software and other common productivity tools to trick users into downloading them.

The change in the attack pattern, which scaled new highs in early April 2022, involves tailoring the malware to strike a specific financial institution at a time, switching to a different bank only after the victim begins implementing countermeasures against the threat.

Also incorporated in the rogue apps are new features that enable it to impersonate the login page of the financial institution to harvest credentials, access SMS messages, and sideload a second-stage payload ("unrar.jar") from a remote server to log events on the compromised device.

"The combination of the phishing page with the possibility to receive and read the victim's sms could be used to perform a complete Account Takeover (ATO) attack," the researchers said.

Additionally, Cleafy said it found a separate Android app package sample ("SMSAppSicura.apk") that used the same command-and-control (C2) infrastructure as BRATA to siphon SMS messages, indicating that the threat actors are testing out different methods to expand their reach.

The SMS stealer app is said to be specifically singling out users in the U.K., Italy, and Spain, its goal being able to intercept and exfiltrate all incoming messages related to one-time passwords sent by banks.

"The first campaigns of malware were distributed through fake antivirus or other common apps, while during the campaigns the malware is taking the turn of an APT attack against the customer of a specific Italian bank," the researchers said.

"They usually focus on delivering malicious applications targeted to a specific bank for a couple of months, and then moving to another target."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

BRATA Android Malware Gains Advanced Mobile Threat Capabilities

Plus: Firefox adds new privacy protections, a big Intel and AMD chip flaw, and more of the week’s top security news.

This week, WIRED revealed new details that link an Indian police force to a hacking campaign against human rights defenders and activists. Researchers at SentinelOne uncovered connections between the city of Pune’s police agency and evidence planted on the devices of activists, as part of a hacking campaign dubbed Modified Elephant. It is alleged that evidence was planted on the computers of activists Rona Wilson and Varvara Rao and then used to arrest the two men. Among other details, an unnamed security analyst at an email provider revealed to SentinelOne and WIRED that the email address and phone number of a Pune police official was set as the recovery email on hacked accounts.

Elsewhere, a new front is emerging in Russia’s war against Ukraine. In the occupied city of Kherson and other nearby regions, Russian forces are routing internet connections from Ukrainian internet service providers to Russian companies. Ukrainian officials tell WIRED the shifts are happening at a large scale and could result in people being subjected to Vladimir Putin’s surveillance and censorship machine.

Robocalls aren’t going away. There’s been progress in tackling the nuisance calls in recent years but the spammy calls are still prevalent. This week we looked into the roots of the problem and what can still be done in the fight against robocalls. We also looked at a new way for cops to collect your fingerprints. How censors in Shanghai haven’t been able to hide stories of the city’s dead during an aggressive Covid-19 lockdown. And the dwindling options facing WikiLeaks founder Julian Assange after the UK Home Office approved his extradition to the US, where he faces espionage and hacking charges.

But that's not all, folks. Each week we round up the big security and privacy news we didn't cover ourselves. Click the links for the full stories, and stay safe out there.

Viktor Muller Ferreira had a traumatic childhood. Growing up, his father and mother—who had adopted him—split up. His mother later died of pneumonia, and his aunt, who raised him, also passed away. The family didn’t have much money. At school, children bullied Ferreira for his looks and his weird accent. As a result, he didn’t have many friends.

One day when his aunt was out, a neighborhood boy came round and told Ferreira that he was the fairy tale character Grey Shadow and he was going to “devour” him. “This scared me so much that I spent the entire day in a small box out on the balcony, praying until my aunt came home.” As he grew older he worked in a garage, took an interest in journalism, and moved to Brazil to reunite with his estranged father and “restore my citizenship.”

Except, according to authorities in the Netherlands, none of that is true.

Dutch intelligence agency AVID claimed this week that “Viktor Muller Ferreira” is just a cover story and false identity for Sergey Vladimirovich Cherkasov, an alleged Russian intelligence officer belonging to the GRU military unit. AVID said it caught Cherkasov applying to be an intern at the International Criminal Court at The Hague, which is investigating potential war crimes in Russia’s wars against Ukraine and Georgia.

As well as stopping Cherkasov from obtaining the position at the ICC and sending him back to Brazil, the Dutch intelligence agency also published his long and detailed cover story. The four-page story, often known as a covert intelligence officer’s “legend,” details the background of the “Ferreira” identity. “The threat posed by this intelligence officer is deemed potentially very high,” AVID said in a statement.

Since outing “Ferreira,” more clues about his undercover life have emerged. Social media profiles belonging to “Ferreira” have been discovered by the investigative unit Bellingcat, as well as a blog and online CV. He also studied at Trinity College Dublin and Johns Hopkins University. Eugene Finkel, an associate professor at Johns Hopkins, who says he taught “Ferreira,” tweeted: “I wrote him a letter. A strong one, in fact. Yes, me. I wrote a reference letter for a GRU officer. I will never get over this fact. I hate everything about GRU, him, this story. I am so glad he was exposed.”

For years it’s been impossible to move backups of WhatsApp chats between Android and iOS, and vice versa. In August last year, WhatsApp announced it was starting to roll out the ability for people to move their data between iPhones and Android devices. Now, this week, the Meta-owned company says backups will work in the other direction too—from Android to iOS.

Processors from Intel and AMD are vulnerable to a new side-channel attack called Hertzbleed. The attack could allow the theft of cryptographic keys and data, as reported by BleepingComputer and DarkReading. Hertzbleed works by exploiting a common power-saving feature in chips—called dynamic frequency scaling (DVFS)—that could allow an attacker to steal data. Frequency changes in DVFS may be correlated with information being processed by chips, Intel says in a blog post. Despite this, neither Intel nor AMD appear to have plans to address the issue. However, the risk to end users seems low at the moment. The team of researchers who found Hertzbleed say ordinary users probably shouldn’t be worried.

Ever since Covid-19 started spreading in early 2020, technological systems have been developed to try to control its spread. In China, a mandatory health code system was created to monitor people’s health status—people with a red code are required to self-isolate, those with a green code are allowed to move freely. These health codes are tied to people’s phones. Now, according to multiple reports, people in the Chinese province of Henan claim their plans to protest have been blocked as their health code has been turned red. Several people impacted claim they have not been around anyone positive with Covid-19 and the change is an abuse of power by officials.

Mozilla’s web browser may have been struggling in recent years, but it is still one of the most privacy-friendly browsers. This week the company said Firefox is turning on its Total Cookie Protection feature by default for everyone using the browser. Any cookies saved to your computer will be available only to the website that placed them there, Mozilla explains in a blog post. “Instead of allowing trackers to link up your behavior on multiple sites, they just get to see behavior on individual sites,” the company says, adding it is “Firefox’s strongest privacy protection to date.”

In November 2021, the US sanctioned notorious Israeli spyware firm NSO Group. The company’s Pegasus hacking tool has been used around the world to spy on journalists and activists. This week it emerged that US defense firm L3Harris is interested in purchasing the technology behind Pegasus, as the _Financial Times_ reports. Any purchase of the technology by a US company would potentially put it at odds with the Biden administration, which blacklisted NSO. Talk of the potential deal, which was said to be in early stages, has prompted criticism from the White House. “We are deeply concerned,” a senior official told the _Washington Post_. They said the deal could cause security and counterintelligence issues for the US.

An Alleged Russian Spy Was Busted Trying to Intern at The Hague

The U.S. Department of Justice (DoJ) on Thursday disclosed that it took down the infrastructure associated with a Russian botnet known as RSOCKS in collaboration with law enforcement partners in Germany, the Netherlands, and the U.K.
The botnet, operated by a sophisticated cybercrime organization, is believed to have ensnared millions of internet-connected devices, including Internet of Things (

The U.S. Department of Justice (DoJ) on Thursday disclosed that it took down the infrastructure associated with a Russian botnet known as RSOCKS in collaboration with law enforcement partners in Germany, the Netherlands, and the U.K.

The botnet, operated by a sophisticated cybercrime organization, is believed to have ensnared millions of internet-connected devices, including Internet of Things (IoT) devices, Android phones, and computers for use as a proxy service.

Botnets, a constantly evolving threat, are networks of hijacked computer devices that are under the control of a single attacking party and are used to facilitate a variety of large-scale cyber intrusions such as distributed denial-of-service (DDoS) attacks, email spam, and cryptojacking.

"The RSOCKS botnet offered its clients access to IP addresses assigned to devices that had been hacked," the DoJ said in a press release. "The owners of these devices did not give the RSOCKS operator(s) authority to access their devices in order to use their IP addresses and route internet traffic."

Besides home businesses and individuals, several large public and private entities, including a university, a hotel, a television studio, and an electronics manufacturer, have been victimized by the botnet to date, the prosecutors said.

Customers wanting to avail proxies from RSOCKS could rent access via a web-based storefront for different time periods at various price points ranging from $30 per day for access to 2,000 proxies to $200 per day for access to 90,000 proxies.

Once purchased, criminal actors could then redirect malicious internet traffic through the IP addresses associated with the compromised victim devices to conceal their true intent, which was to carry out credential stuffing attacks, access compromised social media accounts, and send out phishing messages.

The action is the culmination of an undercover operation mounted by the Federal Bureau of Investigation (FBI) in early 2017, when it made covert purchases from RSOCKS to map out its infrastructure and its victims, allowing it to determine roughly 325,000 infected devices.

"Through analysis of the victim devices, investigators determined that the RSOCKS botnet compromised the victim device by conducting brute force attacks," the DoJ said. "The RSOCKS backend servers maintained a persistent connection to the compromised device."

The disruption of RSOCKS arrives less than two weeks after it seized an illicit online marketplace known as SSNDOB for trafficking personal information such as names, dates of birth, credit card numbers, and Social Security numbers of about 24 million individuals in the U.S.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#android