Water Barghest Hijacks IoT Devices for Massive Proxy Network
Trend Micro has uncovered a new cyber threat campaign in which the Water Barghest group transforms thousands of vulnerable IoT devices into proxy networks within minutes of their compromise. Since 2020, the attackers have infected over 20,000 devices, leveraging automated tools to rapidly scale their operations.
According to Trend Micro, the entire process—from initial infection to listing the compromised device on a proxy marketplace—takes less than 10 minutes. These proxies are offered to other cybercriminals and groups, including state-sponsored actors, providing anonymity through geographically plausible IP addresses for attacks and access to stolen data.
The Water Barghest campaign came to light following the dismantling of the Pawn Storm botnet infrastructure, also known as APT28, by the FBI in January. During their investigation, Trend Micro analysts examined compromised EdgeRouter devices, leading to the identification of the Ngioweb botnet employed by Water Barghest.
Ngioweb was first observed in 2017, but this campaign utilizes an updated version of the malware targeting devices such as EdgeRouter, Cisco, DrayTek, Fritz!Box, and Linksys, primarily in the United States. The attack begins with the exploitation of vulnerabilities identified through databases like Shodan, followed by the use of these weaknesses to gain access.
The malware operates within the device’s RAM, making it ephemeral—rebooting the device eliminates the infection. Once installed, the program connects to command-and-control servers to test the connection, after which the device is automatically listed on the aforementioned proxy marketplace.
Despite law enforcement efforts to combat similar networks, such as VPNFilter and Cyclops Blink, Trend Micro warns that IoT devices exposed to the internet remain highly vulnerable. The growing demand for proxy services among cybercriminal groups suggests that such attacks are likely to persist.
Trend Micro advises minimizing the exposure of IoT devices to the internet and implementing additional security measures to prevent their exploitation in campaigns like these.
