One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8613803 |
| Date de publication | 2024-11-19 00:35:14 (vue: 2024-11-19 01:08:29) |
| Titre | Inside Water Barghest\'s Rapid Exploit-to-Market Strategy for IoT Devices |
| Texte | ## Snapshot
Trend Micro released a report detailing the activities of Water Barghest, a cybercriminal group operating a highly automated botnet operation that exploits vulnerabilities in Internet of Things (IoT) devices to monetize them as residential proxies.
## Description
Active for over five years, the group leverages tools like public internet scan databases (e.g., Shodan) to identify vulnerable devices and deploy Ngioweb, which runs in memory to avoid persistence. The infected devices are quickly registered with command-and-control (C2) servers and made available on a residential proxy marketplace, often within 10 minutes of compromise.
The botnet\'s infrastructure is remarkably efficient, automating each stage of operation, from identifying and exploiting IoT vulnerabilities to monetizing devices. While the group primarily uses known vulnerabilities, they have also exploited zero-days, such as the Cisco IOS XE flaw in 2023, which brought significant industry attention. Their reliance on cryptocurrency and careful operational security helped them avoid detection for years.
Water Barghest\'s operations have evolved since 2018, initially targeting Windows machines before shifting to IoT devices in 2020. They now exploit a wide range of devices, including those from Cisco, Netgear, and Synology, and are continuing to update Ngioweb to enhance its capabilities. The botnet infrastructure relies on virtual private servers (VPS) to continuously scan for and compromise devices. Their residential proxy network is tied to a commercial marketplace where users can rent backconnect proxies for anonymity.
The group\'s activities highlight a growing cybersecurity challenge as the demand for anonymization services fuels the proliferation of botnets. Effective IoT security measures and limiting exposure of IoT devices to the open internet are critical to mitigating such threats.
## Recommendations
**Microsoft recommends the following mitigations to protect IoT specific devices.**
- Only install applications from trusted sources and official stores.
- If a device is no longer receiving updates, strongly consider replacing it with a new device.
- Use mobile solutions such as [Microsoft Defender for Endpoint on Android](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-android?view=o365-worldwide)to detect malicious applications
- Always keep Install unknown apps disabled on the Android device to prevent apps from being installed from unknown sources.
- Evaluate whether [Microsoft Defender for Internet of Things (IoT)](https://learn.microsoft.com/en-us/azure/defender-for-iot/organizations/overview) services are applicable to your IoT environment.
## Detections/Hunting Queries
### Microsoft Defender Antivirus
Microsoft Defender Antivirus detects threat components as the following malware:
- [Trojan:Linux/Multiverze](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Linux/Multiverze)
- [Trojan:Linux/Ngioweb](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Linux/Ngioweb.A!rfn)
## References
[Inside Water Barghest\'s Rapid Exploit-to-Market Strategy for IoT Devices](https://www.trendmicro.com/en_us/research/24/k/water-barghest.html). Trend Micro (accessed 2024-11-18
## Copyright
**© Microsoft 2024**. All rights reserved. Reproduction or distribution of the content of this site, or any part thereof, without written permission of Microsoft is prohibited.
## Snapshot Trend Micro released a report detailing the activities of Water Barghest, a cybercriminal group operating a highly automated botnet operation that exploits vulnerabilities in Internet of Things (IoT) devices to monetize them as residential proxies. ## Description Active for over five years, the group leverages tools like public internet scan databases (e.g., Shodan) to identify vulne |
| Notes | ★★ |
| Envoyé | Oui |
| Condensat | ### **© **microsoft 2018 2020 2023 2024 2024** 365/security/defender accessed active activities all also always android anonymity anonymization antivirus any applicable applications apps apps disabled are as attention automated automating available avoid backconnect barghest before being botnet botnets brought can capabilities careful challenge cisco com/en com/microsoft command commercial components compromise consider content continuing continuously control copyright critical cryptocurrency cybercriminal cybersecurity databases days defender demand deploy description detailing detect detection detections/hunting detects device devices distribution each effective efficient encyclopedia endpoint endpoint/microsoft enhance environment evaluate evolved exploit exploited exploiting exploits exposure five flaw following from fuels group growing have helped highlight highly html https://learn https://www identify identifying including industry infected infrastructure initially inside install installed internet ios iot iot/organizations/overview its keep install known leverages like limiting longer machines made malicious malware: market marketplace measures memory micro microsoft minutes mitigating mitigations mobile monetize monetizing name=trojan:linux/multiverze name=trojan:linux/ngioweb netgear network new ngioweb now official often only open operating operation operational operations over part permission persistence prevent primarily private prohibited proliferation protect proxies proxy public queries quickly range rapid receiving recommendations recommends references registered released reliance relies remarkably rent replacing report reproduction reserved residential rfn rights runs scan security servers services shifting shodan significant since site snapshot solutions sources specific stage stores strategy strongly such synology targeting them thereof things those threat threats tied tools trend trendmicro trojan:linux/multiverze trojan:linux/ngioweb trusted unknown update updates us/azure/defender us/research/24/k/water us/wdsi/threats/malware use users uses view=o365 virtual vps vulnerabilities vulnerable water where whether which wide windows within without worldwide written years your zero |
| Tags | Malware Tool Vulnerability Threat Mobile Prediction Commercial |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.