Botnet of more than 17 million devices dismantled
- Thread starter JournalBot
- Start date
Time to start mandating that suppliers of network infrastructure, including SoHo gear, provide timely security fixes for a number of years after last sale. Similar to how automakers are required to supply spare parts for discontinued models.
Upvote
43
(43
/
0)
My PC is checkable, but I can't truly verify that my Internet router is. Personally owned routers, I can update. ISP provided routeres with custom firmware? I am at the mercy of the ISP to update the custom firmware based on OEM official releases. My only defense is never using router provided DNS servers and DHCP options.
Upvote
27
(28
/
-1)
How long were mass-produced cars around before this became a thing? I’m wondering how long it will take lawmakers to realize that device security is only going to happen on a broad scale if there’s legal teeth nipping at the manufacturers.
Upvote
19
(19
/
0)
I am a small carrier/hoster in the EU (Copenhagen). These cases are making quite the buzz in closed forums and among network geeks and security specialists working with carrier-grade DC gear.
This new case happens just a few days after about 800 physical servers were seized, for alleged criminal activity linked to Russia. While the botnet actors in the Netherlands have not been named, the companies involved in the previous 800-server case were:
A common attribute for these companies was selling virtual server capacity (VPS) to unknown customers paying solely with cryptocurrency.
Word in the street is the new 200-server case is tied to the original 800-server case in multiple ways, including colocation suppliers. After EU sanctions hit Stark Industries, infrastructure and IP space were shifted into WorkTitans B.V. (THE.Hosting), while MIRhosting provided upstream connectivity and colocation services.
The case has ties to Copenhagen where a small local hoster (not us
) was facilitating a large migration of servers - receiving physical servers and instructions on how to connect them in a Global Connect datacenter in the outskirts of Copenhagen; and doing BGP configuration to move IP blocks to the newly moved servers. Workloads on them were "confidential" (and his new customer apparently insisted on communicating over Telegram); which made the small hoster worry and wanting to get out of the deal. He was apparently threatened to keep the lights on for quite a while before finally getting out of the deal.
The story has lots of odd details, and I can't confirm them, so I don't want to repeat them here - some of it could be pure fiction. But it's rare for a small-town-capital like Copenhagen to suddenly be involved in major russian Cybercrime.
This new case happens just a few days after about 800 physical servers were seized, for alleged criminal activity linked to Russia. While the botnet actors in the Netherlands have not been named, the companies involved in the previous 800-server case were:
- WorkTitans B.V. (operating under the brand THE.Hosting)
- MIRhosting
- Stark Industries
- PQHosting
A common attribute for these companies was selling virtual server capacity (VPS) to unknown customers paying solely with cryptocurrency.
Word in the street is the new 200-server case is tied to the original 800-server case in multiple ways, including colocation suppliers. After EU sanctions hit Stark Industries, infrastructure and IP space were shifted into WorkTitans B.V. (THE.Hosting), while MIRhosting provided upstream connectivity and colocation services.
The case has ties to Copenhagen where a small local hoster (not us
) was facilitating a large migration of servers - receiving physical servers and instructions on how to connect them in a Global Connect datacenter in the outskirts of Copenhagen; and doing BGP configuration to move IP blocks to the newly moved servers. Workloads on them were "confidential" (and his new customer apparently insisted on communicating over Telegram); which made the small hoster worry and wanting to get out of the deal. He was apparently threatened to keep the lights on for quite a while before finally getting out of the deal.The story has lots of odd details, and I can't confirm them, so I don't want to repeat them here - some of it could be pure fiction. But it's rare for a small-town-capital like Copenhagen to suddenly be involved in major russian Cybercrime.
Last edited:
Upvote
59
(59
/
0)
It's kind of surprising to me that these groups keep using central command and control servers that can be identified and taken offline, instead of using some sort of peer-to-peer CnC network between all the nodes in the botnet.
Then all you have to do for command and control is find and connect to a few of the nodes using the right private key.
Then all you have to do for command and control is find and connect to a few of the nodes using the right private key.
Upvote
-7
(0
/
-7)
Are there any legit "residential proxy services" or is that just code for "bot net"?
Perhaps the snowflake add-on for firefox counts, but that's at least non-profit and voluntary.
I, personally, wouldn't want to join any for-profit residential proxy net, under the assumption that I would be facilitating criminal activity and that the Feds would come knocking down my door after a bit. And/or RIAA, MPAA, or some software publishers association sues me for a bazillion dollars.
That, and also I might find that a bunch of services like Netflix, Hulu, et al blacklist my IP address.
Upvote
8
(8
/
0)
I wonder if the bots spamming my ports at home looking for MikroTik routers was part of this network. I have had a lot of port scanning done from the NL. I'll have to check my logs later!
Upvote
0
(0
/
0)
I try not to think too much about what's hammering the public port on my router, but I do wonder how much our nice fast broadband internet is being slowed down by botnets and hackers port scanning and throwing the spaghetti at the firewall.
I use OpenWRT, and hoping the firewall in that has been keeping me safe.
Upvote
9
(9
/
0)
If your router allows, you can also put it in pass-though mode. You need your own gateway device behind that, but then you have much more control.
As a big bonus, you also get side step their potentially semi-reliable routing and wifi performance.
Upvote
3
(3
/
0)
But but they are our friend, Trump even rolled out the red carpet for Putin. Literally! Trump needs to be tried for treason!
Upvote
-2
(4
/
-6)
Upvote
2
(2
/
0)
We need functioning institutions for this to be a thing. I support it.
Upvote
2
(2
/
0)
As various governments step up their data collection and censorship, more people will be looking for VPN services, tor, and other ways to bypass or obfuscate their network traffic. Many will fall victim to bad actors taking advantage of this.
Upvote
4
(4
/
0)
Because in real life, that's kind of science fiction and not easily achieved.
Thinking that a P2P network is somehow "anonymous" or "hard to target" is wrong. They are distributed. They can be resilient. But adding new peers to the net has to be an easy ad-hoc task, as the net grows. This means it is as easy for security researchers and state actors to add peers to the network as it is for the network owner. From this beachhead, the network can be monitored and traffic can be analyzed and falsified.
A decentralized structure doesn't automatically hide seed nodes, and doesn't automatically keep traffic and data secret. And even then, you still need a number of trusted nodes to feed the network - nodes the network owner controls and which are static in some way.
Now excuse me while I go write a GUI interface in Visual Basic to track their IP...
Upvote
4
(4
/
0)
I'm confused (NOT REALLY). Did the police and the National Cyber Security Center run the botnet that comprised more than 17 million devices or did they take it down?
It is also used by people in countries with a repressive and horrible dictatorships and countries like Iran run by religious groups that hate other people they feel are in religious groups JUST BECAUSE they don't believe in the same "profits" (Jesus, Allah, etc) as they do. And they kill their own people in order to stay in power.
It should be noted that the United States (where I live an I'm a citizen) has more people in prison than any other country. A LOT of people are in prison in our "War against drugs" with our federal government both runs and organizes AND fights against.
Drug money has been used to fund "rebels" in different countries in South America in order to have United States friendly rulers. And when those rulers get big heads and stops doing what the United States wants, then we fund a different group of rebels to take them down and put in a new leader.
That's the BIGGEST reason why there is only one central or South American country that is communist.
Personally, I feel ALL rulers should be taken out and shot. And any new people that becomes rulers, the same thing should happen to them until we no longer have people trying to inflict their values on everyone else and just lets people live their lives who aren't hurting anyone else.
People that hurt children, spouses and animals should also be taken out and shot.
Last edited:
Upvote
-1
(0
/
-1)