Lumen Black Lotus Labs has unveiled a comprehensive investigation into the Ngioweb botnet, revealing an extensive network of approximately 28,000 compromised devices worldwide powering the illegal NSOCKS proxy service. The botnet, first identified in 2017, has evolved into a sophisticated infrastructure that poses significant security risks to various Internet-connected devices.
Infrastructure and Operational Scale
The investigation revealed that NSOCKS operates through more than 180 backconnect nodes for traffic routing, with the Ngioweb botnet providing approximately 80% of its 35,000 proxy servers spread across 180 countries. Researchers discovered that the malicious network employs about 15 different zero-day exploits to compromise targeted devices, demonstrating its technical sophistication and ongoing threat potential.
Target Devices and Infection Vectors
The botnet primarily targets vulnerable SOHO (Small Office/Home Office) and IoT devices running outdated firmware, with a particular focus on products from manufacturers including Zyxel, Reolink, and Alpha Technologies. A concerning recent development shows that Netgear routers now comprise approximately 10% of all infected devices, indicating a strategic shift in the botnet’s targeting approach.
Technical Analysis and Security Implications
While the core malware architecture has remained relatively stable since 2019, significant modifications include the implementation of Domain Generation Algorithm (DGA) replacing static URLs and the integration of DNS TXT records for command-and-control protection. However, security researchers identified critical vulnerabilities in both the botnet’s infrastructure and the NSOCKS service implementation.
Critical Security Flaws
The investigation uncovered a severe lack of authentication mechanisms in NSOCKS proxy servers, enabling unauthorized access when attackers obtain IP addresses and port information. These compromised proxies have been identified in public listings and are actively being exploited to distribute various malware strains, including the notorious Agent Tesla.
In response to these findings, Lumen has partnered with The ShadowServer Foundation to implement traffic blocking measures, significantly disrupting both the Ngioweb botnet and NSOCKS operations. Security researchers have published comprehensive Indicators of Compromise (IoCs) and are actively encouraging organizations to participate in coordinated efforts to detect and mitigate this threat. Network administrators are advised to implement robust security measures, including regular firmware updates and network monitoring, to protect against this evolving threat.
