The U.S. Department of Justice announced on Wednesday that it had dismantled what it termed “likely the world’s largest botnet ever,” comprising 19 million infected devices leased to other threat actors for a variety of criminal activities. The botnet, known as 911 S5, operated as a residential proxy service with a global reach spanning over 190 countries. YunHe Wang, a 35-year-old Chinese national, was arrested in Singapore on May 24, 2024, for creating and administering the illegal platform from 2014 to July 2022. Wang faces charges of computer fraud, substantive computer fraud, conspiracy to commit wire fraud, and conspiracy to commit money laundering, with a total potential penalty of 65 years in prison. The Justice Department revealed that the botnet was utilized for cyber-attacks, financial fraud, identity theft, child exploitation, harassment, bomb threats, and export violations. Although the service was briefly revived under the name CloudRouter, it ceased operations last weekend, according to Spur’s co-founder Riley Kilmer, as reported by Krebs. Wang and his associates allegedly disseminated malware to compromise millions of residential Windows computers worldwide, amassing a network associated with over 19 million unique IP addresses, including 613,841 in the United States. Wang generated millions of dollars by selling access to these infected IP addresses, earning approximately $99 million. He used the illicit proceeds to purchase luxury cars, expensive wristwatches, and 21 residential or investment properties across the U.S., China, Singapore, Thailand, and the U.A.E.

Attack Overview:

The botnet, which has a global footprint consisting of more than 190 countries, functioned as a residential proxy service known as 911 S5. A 35-year-old Chinese national, YunHe Wang, was arrested in Singapore on May 24, 2024, for creating and acting as the primary administrator of the illegal platform from 2014 to July 2022. Wang has been charged for committing computer fraud, substantive computer fraud, conspiracy to commit wire fraud, and conspiracy to commit money laundering. Wang faces a total penalty of 65 years in prison. The Justice Department said the botnet was used to carry out cyber-attacks, financial fraud, identity theft, child exploitation, harassment, bomb threats, and export violations. Although it was recreated under a different brand name called CloudRouter, a few months later, according to Spur, the service has since stopped operations sometime this past weekend, the cybersecurity company’s co-founder Riley Kilmer told Krebs. “Wang and others are alleged to have created and disseminated malware to compromise and amass a network of millions of residential Windows computers worldwide.”

“These devices were associated with more than 19 million unique IP addresses, including 613,841 IP addresses located in the United States. Wang then generated millions of dollars by offering cybercriminals access to these infected IP addresses for a fee.” Wang, for his part, is estimated to have received approximately $99 million from selling access to the hijacked proxied IP addresses, using the ill-gotten money to purchase four luxury cars, several expensive wristwatches, and 21 residential or investment properties across the U.S., China, Singapore, Thailand, and the U.A.E.

Legitimate User Devices:

Residential proxies (RESIPs) involve the exploitation of legitimate user devices to route traffic for paying subscribers without the users’ knowledge or consent. Threat actors achieve this by installing proxyware tools on computers, mobile phones, or routers, effectively integrating these devices into a botnet. This botnet is then rented out to customers who seek to anonymize the source of their internet traffic. These proxies are particularly dangerous as they leverage real user IP addresses, making malicious activities harder to trace back to the perpetrators. Users unknowingly contribute to cybercrime as their devices become conduits for hiding illicit activities. The proliferation of proxyware tools has made it easier for threat actors to establish extensive networks of compromised devices. These networks provide a high level of anonymity for malicious traffic, complicating efforts to detect and mitigate cyber threats. Consequently, residential proxies pose significant challenges for cybersecurity, as they blur the lines between legitimate and malicious internet traffic. The covert nature of these operations makes it difficult for both users and security professionals to identify and address the misuse of devices. Overall, the misuse of residential proxies underscores the need for increased vigilance and advanced security measures to protect devices from being hijacked for nefarious purposes.

Objective of Proxy ware Devices:

The primary goal of using proxyware services is to route traffic through the IP addresses of compromised devices, thereby anonymizing the origin of malicious requests. This technique leverages real user IP addresses to mask the true source, making it difficult to trace back to the perpetrators. By funneling traffic through unsuspecting users’ devices, threat actors can carry out illicit activities with a higher level of anonymity. This method complicates detection and mitigation efforts, as it blurs the distinction between legitimate and malicious traffic. Overall, the misuse of proxyware for anonymity highlights the need for robust security measures to protect devices from exploitation.

Free VPN (Virtual Private Network) Programs:

• MaskVPN:  Mask VPN offers a virtual private network (VPN) which extends a private network across a public network, and enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network.
• DewVPN: DewVPN is a 100% free unlimited VPN service. It has no time, bandwidth, speed, and location switching limit at all. DewVPN has built-in privacy features, you can choose whether to disable WebRTC, and can easily manage your browser Canvas fingerprint with DewVPN browser extension for Firefox and Chrome.

Sanctions:

The Department of the Treasury’s Office of Foreign Assets Control (OFAC) levied sanctions against the defendant along with his co-conspirator Jingping Liu and power of attorney Yanni Zheng for their activities associated with the 911 S5 botnet and the residential proxy service.

The agency also sanctioned three Thailand-based entities, namely Spicy Code Company Limited, Tulip Biz Pattaya Group Company Limited, and Lily Suites Company Limited that are said to be owned or controlled by Wang, noting that Spicy Code Company Limited was used to buy real estate properties in the country.

“The conduct alleged here reads like it’s ripped from a screenplay: A scheme to sell access to millions of malware-infected computers worldwide, enabling criminals over the world to steal billions of dollars, transmit bomb threats, and exchange child exploitation materials,” said Matthew S. Axelrod of the U.S. Department of Commerce’s Bureau of Industry and Security (BIS).

Remediation Steps:

1. Understand Botnet Infiltration: It is important to know precisely how a botnet gets into your system and takes it over for malicious purposes. Your device can become infected anytime you visit a malicious site, and it automatically downloads malware without you ever noticing.
2. Identify the Attacks: Brush up on your knowledge and learn about the latest botnet attacks through sites like Wired, CNET, or SearchSecurity. Tech publications and forums frequently update their content with the latest attacks. For example, Zeus botnets are a known Trojan horse for Windows created to steal banking information.
3. Reset Your Device: It is usually advised to reset your routers and any wireless equipment. But you still need to take additional action, like changing your default passwords and proactively monitoring for unusual behavior. Otherwise, the botnet may fall back on a safety trigger to reinstall itself and take over your device again.
4. Restrict Access: Your devices need more protection to mitigate attacks and keep your systems safe. This is especially important for businesses with multiple devices used by employees prone to using public wireless or working in the field. You can increase your web application firewall settings and rules to restrict the malware’s inbound or outbound network traffic. Businesses that handle sensitive data and regularly connect to the cloud may also need stronger safeguards for internet users to protect their devices
5. Disconnect from the Internet: Disconnecting the infected device from the Internet can prevent the botmaster from issuing further commands and receiving information from the bot.
6. Run an Antivirus Scan: Antivirus software can detect and remove the malware that is used to control the bot
7. Use Strong device Authentication: By doing this, we can set strong passwords or by using double step verification. Setting up of Weak Passwords can enable hackers to easily break through the user’s account.
8. Get Professional Monitoring: Depending on how much time you have to allow to keep your systems safe, you may need a professional monitoring service to help detect, deflect, and restore your plans in case of a botnet attack. The service you choose should have a reputation for monitoring specifically for botnets and take a proactive approach to prevention.