Summary:
Water Barghest has developed a botnet of over 20,000 IoT devices by October 2024, exploiting vulnerabilities to monetize these devices through automated scripts and the Ngioweb malware. The entire process from infection to proxy availability can occur in as little as 10 minutes, highlighting the efficiency of their operations.
Keypoints:
Water Barghest’s botnet consists of over 20,000 IoT devices by October 2024.
The group exploits vulnerabilities in IoT devices to monetize them via a residential proxy marketplace.
Ngioweb malware is deployed to compromised devices, connecting them to command-and-control servers.
The process from initial infection to device availability as a proxy takes as little as 10 minutes.
Both espionage and financially motivated actors have incentives to establish proxy botnets.
Examples of other proxy botnets include VPNFilter and Cyclops Blink, disrupted by the FBI.
Water Barghest has maintained a low profile for years, avoiding significant scrutiny.
The group automated the entire process of finding and exploiting vulnerable devices.
Water Barghest utilized a zero-day vulnerability against Cisco IOS XE devices in October 2023.
They have been targeting a wide range of IoT devices from various manufacturers.
MITRE Techniques:
Initial Access (T1078): Uses compromised IoT devices to gain initial access to networks.
Execution (T1203): Deploys Ngioweb malware to execute commands on compromised devices.
Persistence (T1053): Maintains presence through automated scripts and malware.
Command and Control (T1071): Utilizes multiple command and control domains to maintain communication with compromised systems.
Exfiltration (T1041): Exfiltrates data by leveraging compromised IoT devices as proxies.
IoC:
[domain] ngioweb[.]su
[url] ultradomafy[.]net
[ip address] 195.154.43.182
[tool name] Ngioweb
[others] Ubiquiti EdgeRouter
Full Research: https://www.trendmicro.com/en_us/research/24/k/water-barghest.html