The U. S. Department of Justice announced Wednesday the removal of the 911 S5 botnet, marking the end of what “is probably the largest botnet ever created in the world” with more than 19 million unique IP addresses, according to FBI Director Christopher Wray.
Following an investigation by the Department of Justice with the help of foreign partners, joined by the Singapore Police and the Royal Thai Police, the botnet’s alleged operator, YunHe Wang, was arrested last Friday and charged with four federal charges: conspiracy, computer fraud, conspiracy to engage in wire fraud, and conspiracy to engage in wire fraud.
Wang, a 35-year-old Chinese national and citizen from St. Louis S. Louis, is a Chinese national. Kitts and Nevis in the West Indies, faces up to 65 years of criminal conviction if convicted. Authorities say Wang and his co-conspirators used the 911 S5 from 2011 to July 2022. infect millions of devices with backdoor malware and promote compromised IP addresses for consumers to commit crimes ranging from cyberattacks to child exploitation.
“Cybercriminals take note. Today’s announcement sends a transparent message that the Criminal Division and its law enforcement partners are steadfast in their commitment to disrupt the most technologically complicated criminal equipment and hold perpetrators accountable,” said Nicole M. Argentieri, Principal Deputy Attorney General. Chief of the Justice Department’s Criminal Division, he said in a statement.
The large 911 S5 botnet was created by spreading malware through free VPN systems with names like ProxyGate, Mask VPN, and Dew VPN, as well as bundling backdoor software with other software, such as pirated versions of valid systems, an unsealed indictment reveals. .
The main targets were Windows-based home computers, and devices connected to corporate and school networks were also affected. Unbeknownst to the owners of the compromised devices, their IP addresses would be rented out to others for a fee, allowing 911 S5 users to hide. your own IP address and location while engaging in online criminal activity.
At least 200,000 of the 19 million unique 911 S5 IP addresses were available at once for use by 911 S5 consumers, and consumers could simply express the IP addresses to make it appear that their Internet activity originated from a specific location or through an express Internet. . service provider.
The inflamed devices were distributed in about two hundred countries, with more than 613,000 IP addresses hacked in the United States alone. In addition, about 76 of the roughly 150 compromised servers allegedly controlled through Wang to run the botnet’s operations were leased from the U. S. U. S. -based vendors.
Crimes committed through the use of the 911 S5 included cyberattacks, money fraud, online harassment and bomb threats, export violations and child exploitation, according to the Justice Department. For example, researchers estimated that $5. 9 billion was lost in 560,000 fraudulent UI requests from compromised IP addresses. through 911 S5, and that more than 47,000 fraudulent Economic Disaster Loan (EIDL) programs are also suspected to have passed through the botnet.
Authorities say Wang raised around $100 million by promoting compromised IP addresses, and the open indictment includes a long list of luxury parts and vehicles, cryptocurrency wallets, bank accounts, internet domains, and homes in various countries that will be confiscated as a component. of the case of the offender. action opposite to Wang.
The indictment, along with seizure warrants issued through the Justice Department, revealed the main points of the investigation that led to Wang’s arrest and the shutdown of the 911 S5 botnet.
The investigation began in December 2020, was first conducted through the Defense Criminal Investigative Service, and then onboarded through the FBI in February 2022.
In 2021, researchers carried out a sting operation, purchasing 60 proxy connections on the 911 S5 online page and their access to the botnet’s consumer software to monitor the service. Authorities were also able to download and analyze a pattern of the botnet’s malware after tracking one of the compromised IP addresses returned to the inflamed computer of a student at the top school in Texas.
Authorities were also required to download data on the domain names used to transmit and administer 911 S5 by downloading records from domain registrar GoDaddy. These recordings led them to identify Wang as their suspect.
During the investigation, Wang allegedly shut down the 911 S5 in July 2022, shortly after a Krebs article on security named Wang as the botnet’s operator. Wang cited a cyberattack on the 911 S5 service and the botnet’s deletion of visitor records as the explanation for the reason for the shutdown, according to the seizure orders issued.
Despite the shutdown, the millions of compromised devices were still available for hacking, leading to a resurgence and renaming of the botnet to CloudRouter in early 2023. The assurances revealed imply that the government attempted to capture all CloudRouter-like debris, as well as those corresponding to the 911 S5.
The 911 S5 botnet served as a malicious residential proxy service that exploits millions of illegally hacked IP addresses around the world by attacking residential computers with malware. However, devices connected to corporate, school, or other organization networks can also be compromised, such as when a computer is used for work and personal tasks in a work-from-home situation.
Malware distributed as a component of Operation 911 S5 evolved to evade detection through common antivirus systems and identify persistent backdoor access to the compromised device. With the backlog of remote staff as a result of the COVID-19 pandemic, organizations want to ensure that the security of remote employee endpoints is not overlooked.
The botnet has also been exploited by malicious actors to commit various cybercrimes, adding fraud and large-scale cyberattacks. Even with the crash of the 911 S5, other botnets will continue to be exploited for campaigns ranging from state-sponsored espionage to large-scale espionage. Escalate phishing and distributed denial-of-service (DDoS) attacks.
While bot traffic is very likely to outperform human activity in the short to long term and generative AI adds additional merit to “bad bots,” organizations want to be prepared with physically powerful measures against DDoS attacks, automated credential stuffing, and other attacks facilitated through malicious botnets.
SC Staff June 7, 2024
Administrators should update their systems following the disclosure of a critical vulnerability in PHP.
Vulnerable Apache RocketMQ moments affected by the critical remote code execution bug, tracked as CVE-2023-33246, are being transmitted through the Muhstik botnet to facilitate more extensive distributed denial-of-service and cryptocurrency mining intrusions, The Hacker News reports.
According to CyberSeek, the U. S. needs 225,200 more cybersecurity employees to fill the cybersecurity skills gap, as only 85% of available jobs are filled through more than 1. 2 million cybersecurity employees in the country, SecurityWeek reports.
By clicking the Subscribe button below, you agree to SC Media’s Terms and Conditions and Privacy Policy.