Botnet serving as \u2018backbone\u2019 of malicious proxy network taken offline | CyberScoop<\/title> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/proxy-services-cybercrime-ngioweb-botnet-nsocks\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"Botnet serving as \u2018backbone\u2019 of malicious proxy network taken offline \"> <meta property=\"og:description\" content=\"Lumen Technology\u2019s Black Lotus Labs took the ngioweb botnet and NSOCKS proxy offline Tuesday.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/proxy-services-cybercrime-ngioweb-botnet-nsocks\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:published_time\" content=\"2024-11-19T14:00:00+00:00\"> <meta property=\"article:modified_time\" content=\"2024-11-19T14:24:45+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/11\/botnet-serving-as-backbone-of-malicious-proxy-network-taken-offline-2.jpg\"> <meta property=\"og:image:width\" content=\"2121\"> <meta property=\"og:image:height\" content=\"1414\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"mbracken\"> <meta name=\"twitter:card\" content=\"summary_large_image\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1731444340g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress\/dist\/css\/related-posts-block-styles.min.css?m=1731960560g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1732010462g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=ddc036fa194c40cf406f\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" title=\"JSON\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/82668\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.7\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=82668\">\n<link rel=\"alternate\" title=\"oEmbed (JSON)\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fproxy-services-cybercrime-ngioweb-botnet-nsocks%2F\">\n<link rel=\"alternate\" title=\"oEmbed (XML)\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fproxy-services-cybercrime-ngioweb-botnet-nsocks%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"post-template-default single single-post postid-82668 single-format-standard\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/proxy-services-cybercrime-ngioweb-botnet-nsocks\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--newsletter js-stickybar\" readability=\"0.82\"> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"24.706806282723\">\n<div class=\"single-article__header-content\" readability=\"33.188010899183\">\n<ul class=\"single-article__eyebrow\">\n<li class=\"single-article__category\"> <a class=\"single-article__category-link\" href=\"https:\/\/cyberscoop.com\/proxy-services-cybercrime-ngioweb-botnet-nsocks\/\"> <span>Cybercrime<\/span> <\/a> <\/li>\n<\/ul>\n<p> Lumen Technology\u2019s Black Lotus Labs took the ngioweb botnet and NSOCKS proxy offline Tuesday. <\/p>\n<p>  <br \/>\n<audio id=\"audio-player\" src=\"https:\/\/wp-tts-cdn.api.scpnewsgrp.com\/cyberscoop\/82668\/english.openai.mp3\"><\/audio> <\/p>\n<div readability=\"11\">\n<div>\n<p>Listen to this article<\/p>\n<p>  <\/p>\n<p>0:00<\/p>\n<\/p><\/div>\n<p>  <\/p>\n<p> <span id=\"tts-tooltip\">Learn more.<\/span> <span> This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment. <\/span> <\/p>\n<\/div>\n<p>  <\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"426\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/11\/botnet-serving-as-backbone-of-malicious-proxy-network-taken-offline.jpg?resize=640%2C426&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/11\/botnet-serving-as-backbone-of-malicious-proxy-network-taken-offline-2.jpg 2121w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/11\/botnet-serving-as-backbone-of-malicious-proxy-network-taken-offline-2.jpg?resize=300,200 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/11\/botnet-serving-as-backbone-of-malicious-proxy-network-taken-offline-2.jpg?resize=768,512 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/11\/botnet-serving-as-backbone-of-malicious-proxy-network-taken-offline-2.jpg?resize=1024,683 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/11\/botnet-serving-as-backbone-of-malicious-proxy-network-taken-offline-2.jpg?resize=1536,1024 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/11\/botnet-serving-as-backbone-of-malicious-proxy-network-taken-offline-2.jpg?resize=2048,1365 2048w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/11\/botnet-serving-as-backbone-of-malicious-proxy-network-taken-offline-2.jpg?resize=600,400 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/11\/botnet-serving-as-backbone-of-malicious-proxy-network-taken-offline-2.jpg?resize=252,168 252w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/11\/botnet-serving-as-backbone-of-malicious-proxy-network-taken-offline-2.jpg?resize=506,337 506w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/11\/botnet-serving-as-backbone-of-malicious-proxy-network-taken-offline-2.jpg?resize=1013,675 1013w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/11\/botnet-serving-as-backbone-of-malicious-proxy-network-taken-offline-2.jpg?resize=1265,843 1265w\" sizes=\"(max-width: 1013px) 100vw, 1013px\"><figcaption> (Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"37.005009107468\"><body readability=\"75.023084994753\"><\/p>\n<p>Whether it\u2019s for espionage purposes or financially motivated cybercrime, proxy services are a common tool in the attacker toolbox. Often used to disguise the true origin or location of malicious activity, proxies can be lucrative for malicious actors, who create them via a botnet and sell access in order for others to run their schemes, which can range from malware delivery to data theft to distributed denial of service (DDoS) attacks. <\/p>\n<p>While it can be difficult for defenders to get a handle on these networks, it\u2019s not impossible. Security experts at Lumen Technologies\u2019 Black Lotus Labs, the cybersecurity firm Spur and the ShadowServer foundation took down the long-running \u201cngioweb\u201d botnet Tuesday, which served as a backbone for several malicious proxy services. Additionally, researchers at Black Lotus Labs chronicled how threat actors have co-opted various proxy services using the botnet to not only obfuscate malicious traffic, but conduct a whole host of cybercrimes. <\/p>\n<p>\u201cThough this enterprise was built to offer criminals an avenue to proxy their traffic, users have abused and altered the network into its present state \u2014 one which directly supports many other forms of malicious activity such as obfuscating malware traffic, credential stuffing, and phishing,\u201d <a href=\"https:\/\/blog.lumen.com\/one-sock-fits-all-the-use-and-abuse-of-the-nsocks-botnet\/\">researchers wrote in the blog<\/a>. \u201cBotnets such as these present a concerning and persistent threat to legitimate organizations across the internet.\u201d <\/p>\n<p>The research conducted by the telecom company is particularly focused on the relationship between ngioweb and the criminal proxy service NSOCKS. First discovered in 2017, the ngioweb botnet heavily consists of small office\/home office (SOHO) routers and Internet of Things (IoT) devices, which have been co-opted into the botnet via what researchers categorize as a \u201csubstantial number\u201d of router-focused vulnerabilities. Researchers found that 80% of the NSOCKS bots \u2014 which consists of 35,000 machines in 180 countries \u2014 originate from the ngioweb botnet.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Further research by Black Lotus Labs uncovered how threat actors are using NSOCKS: The proxies, which can be obtained through a rudimentary Google search and a cryptocurrency payment, can be focused on specific targets, like government (.gov) or educational (.edu) websites. Additionally, the way NSOCKS is set up allows attackers to easily plan and coordinate DDoS attacks.<\/p>\n<p>\u201cProxy botnets are becoming increasingly popular and, consequently, more dangerous,\u201d the blog states. \u201cThese networks are often leveraged by criminals who find exploits or steal credentials, providing them with a seamless method to deploy malicious tools without revealing their location or identities.\u201d<\/p>\n<p>Both financially motivated and nation-state threat actors have been tied to the ngioweb botnet and NSOCKS proxies. Palo Alto Networks\u2019 Unit 42 research team <a href=\"https:\/\/unit42.paloaltonetworks.com\/muddled-libra\/\">linked Muddled Libra<\/a>, a group related to Scattered Spider, to NSOCKS use in March. Trend Micro found that Pawn Storm (APT28), a group with ties to Russia\u2019s Main Intelligence Directorate (GRU), uses the same devices as those co-opted into the ngioweb botnet. <\/p>\n<p>\u201cThis means that many devices infected with ngioweb malware are likely being abused by multiple groups simultaneously,\u201d the blog states. <\/p>\n<p>While botnets like these are sure to surface again in the future, Black Lotus Labs says both corporate security teams and individual users can take action to keep their machines from being co-opted into malicious activity. Corporate network defenders should be aware of attacks on weak passwords and watch for suspicious logins from residential IPs, which can bypass some security measures. Individuals using SOHO routers should regularly reboot devices, install security updates, and replace routers that are no longer supported.<\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"3.9870466321244\">\n<div class=\"author-card\" readability=\"14\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/11\/botnet-serving-as-backbone-of-malicious-proxy-network-taken-offline-1.jpg?w=640&ssl=1\" alt=\"Greg Otto\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by Greg Otto<\/h4>\n<p> Greg Otto is Editor-in-Chief of CyberScoop, overseeing all editorial content for the website. Greg has led cybersecurity coverage that has won various awards, including accolades from the Society of Professional Journalists and the American Society of Business Publication Editors. Prior to joining Scoop News Group, Greg worked for the Washington Business Journal, U.S. News & World Report and WTOP Radio. He has a degree in broadcast journalism from Temple University. <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Geopolitics<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/proxy-services-cybercrime-ngioweb-botnet-nsocks\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Botnet serving as \u2018backbone\u2019 of malicious proxy network taken offline <\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[2707,2080,282,174,3131,3132,2880,3133],"tags":[2709,2082,286,178,3134,3135,2882,3136],"class_list":["post-6299","post","type-post","status-publish","format-standard","hentry","category-black-lotus-labs","category-botnets","category-cybercrime","category-ddos","category-ngioweb","category-nsocks","category-shadowserver","category-spur","tag-black-lotus-labs","tag-botnets","tag-cybercrime","tag-ddos","tag-ngioweb","tag-nsocks","tag-shadowserver","tag-spur"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/black-lotus-labs\/\" rel=\"category tag\">Black Lotus Labs<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/botnets\/\" rel=\"category tag\">botnets<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybercrime\/\" rel=\"category tag\">cybercrime<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/ddos\/\" rel=\"category tag\">DDoS<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/ngioweb\/\" rel=\"category tag\">ngioweb<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/nsocks\/\" rel=\"category tag\">NSOCKS<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/shadowserver\/\" rel=\"category tag\">Shadowserver<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/spur\/\" rel=\"category tag\">Spur<\/a>","tag_info":"Spur","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/6299","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=6299"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/6299\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=6299"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=6299"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=6299"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":6299,"date":"2024-11-19T08:00:00","date_gmt":"2024-11-19T14:00:00","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=82668"},"modified":"2024-11-19T08:00:00","modified_gmt":"2024-11-19T14:00:00","slug":"botnet-serving-as-backbone-of-malicious-proxy-network-taken-offline","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2024\/11\/19\/botnet-serving-as-backbone-of-malicious-proxy-network-taken-offline\/","title":{"rendered":"Botnet serving as \u2018backbone\u2019 of malicious proxy network taken offline\u00a0"},"content":{"rendered":"