Account hijacking in Telegram has become a serious criminal business in today’s world. Scammers employ sophisticated methods to steal access to accounts, and then use them to attack other users through deepfakes, social engineering, and other techniques. Here’s how it typically works: having stolen an account, scammers send phishing messages to all its contacts — such as “Hi, I urgently need money. Can you help me?”, Please vote for me if you have a moment or You’ve received a gift – a one-year subscription to Telegram Premium — to hijack even more accounts.

These messages often have phishing links at the other end, which look legitimate — for example, https://t.me/premium — but actually redirect users to fraudulent websites. If you click the link and follow the scammer’s instructions, you’ll likely lose access to your Telegram account (especially if you haven’t set up two-step verification in Telegram). Your contacts may then receive similar phishing messages from your account.

Stolen or fake accounts can also be used for complex targeted attacks — sometimes employing deepfakes to deceive employees of organizations. You might encounter messages allegedly from company management that include personal details like your full name, mentioning some kind of inspection by government authorities, and demanding confidential information or financial assistance in an air of complete secrecy. These are always fake.

Meanwhile, the original Telegram account owner might not even realize at first that their account has been compromised. They continue chatting with friends, reading their favorite channels, and assuming they’re safe from scammers. How is this possible? This happens because Telegram allows multiple sessions to the same account from different devices. Having gained access to your account, scammers open a session on their device without closing your active sessions. Then they send messages, and immediately delete them on the sender’s side only. In this way, recipients see the messages, but the victim doesn’t.

As we are seeing, scammers are interested in everyone — even the most ordinary of Telegram users. In this article, we address two key questions: how to know if your Telegram account has been hacked, and if it has, what should you do?

How to know if your Telegram account has been hacked

The following are possible signs that your account has been hacked: your username or profile picture has changed; you’ve been entered into some suspicious competitions; you see a message sent from your account that’s then immediately deleted; your friends tell you they’ve received strange messages from you that you can’t see. Let’s go through these one by one…

Changes to your username or profile picture. Scammers might alter your username to include a phishing link or put the link in your bio. They might also modify your profile picture to their advantage. For example, adding a note to your photo asking for help: “I’m in trouble, please help me however you can”. Any change of information without your knowledge indicates a compromise. In short, if something has changed “by itself”, then most likely attackers are responsible: you’ve been hacked.

Participation in suspicious activities. Scammers might send you a link to activate a Telegram Premium gift subscription, and if you “activate” it, your account will be stolen. This is a fairly popular account hijacking scam, which we’ve covered in detail on the Kaspersky Daily blog. Popular, yes — but far from the only one. Here’s another one: asking for help to win a vote.

Friends report receiving strange messages from you, which you don’t see. Scammers work hard to conceal the fact that your account has been hacked. They delete all messages sent from your account on the sender’s side. The recipient gets the message (and can even reply), but you won’t know about it unless your friends inform you.

You receive a login code for a new device. However, you definitely didn’t attempt to log in, and all your known devices are already connected to your account. Scammers usually delete such messages immediately, but if you spot a request for such a code, your account is under attack right there and then.

If you notice any of these signs, act quickly — you’ve only 24 hours to save your account. Why 24 hours? Telegram has built-in protection against account theft — preventing new devices from terminating active sessions on other devices within the first 24 hours. After 24 hours, the scammers will end all other sessions on your account, and you’ll lose all access.

What to do if your Telegram account has been hacked

Here are some basic countermeasures to take if you detect signs of a Telegram account hack.

Terminate all unknown sessions

To do this, go to Settings → Devices → Terminate all other sessions (in desktop clients, this section might be called Active sessions). This will log out all sessions except the current one, cutting off the scammers’ access to your account.

How to terminate sessions in Telegram

Alternatively, you can choose specific sessions to terminate by selecting them and clicking Terminate Session, or by clicking Edit in the top right corner of the screen.

Contact technical support

To do this, navigate to Settings → Ask a question to reach Telegram support. While this might seem a safe option, the 24-hour timeline could play into the scammers’ hands here: Telegram support is handled by volunteers, so a response may take time in coming. So first of all, you should terminate all unknown sessions (see above), and enable two-factor authentication (see below).

If you proceed with contacting support, you’ll enter a chat with the Volunteer Support bot. Note that this bot can only be initiated through Settings → Ask a question — remember this to avoid falling victim to scams. The bot will provide instant FAQ answers, but there’s no option for “Account hacked” in its standard menu. To get help from a human, either select Skip and process to volunteers, or type your request in the chat, and press Yes, redirect me. Telegram will inform you that most volunteers communicate in Russian or English.

How to contact Telegram support and speak to a person instead of a bot

If you’ve already lost access to your Telegram account, there’s another way to contact Telegram support: fill out a form on the official website specifying the issue, your phone number, and your email.

Recover access to your Telegram account via SMS code

If more than 24 hours have passed and you no longer have access to your account on any device (because the hackers ended all your sessions), try recovering it with your phone number:

1. Open the Telegram app
2. Enter your phone number and confirm it
3. Select Tap to get a code via SMS
4. Enter the received code
5. Enter your two-step verification password, if set
6. End all other sessions

Bear in mind that you need to act quickly here: once you enter your phone number, all devices with an active session linked to this number will receive a notification in Telegram. This means the hackers will know you’re attempting to regain access.

Create a new Telegram account with the same number

If you can’t recover your account, the only way to continue using Telegram with the same phone number is to delete the old account and create a new one. However, in this case, you’ll permanently lose your chat history and administrator rights in your channels.

You can only delete your Telegram account if you have access to it, or if you’ve set up two-step verification. If you’ve at least one open session, go to Settings → Privacy and Security → Automatically delete my account if away for… → Delete Account Now.

If you don’t have access to your account but have two-step verification set up, you can delete the account as follows:

1. Open the Telegram app
2. Enter your phone number
3. Select Forgot password?
4. Select Unable to access <your email address>
5. Select Reset account

If you don’t have access to your account on any device, and two-step verification is disabled, you can’t delete the account. Warn your friends and family about the loss of access so they don’t fall for scams sent from your account.

How to protect your Telegram account from being hacked

The best thing you can do right now to protect your account is to set up two-step verification. This means a password will be required in addition to a code when logging in from a new device. This additional security factor will make hacking more difficult, give you more time to react, and allow you to delete the account in case you lose access.

Go to Settings → Privacy and Security → Two-Step Verification. Next, create a password, enter a recovery email, and confirm it by entering the code you receive.

The password should be strong and unique to make it difficult for scammers to guess. To create and store secure passwords, we recommend using Kaspersky Password Manager.

Be sure to share this guide with friends and family — especially those new to Telegram, to help them stay safe in the digital space.

Kaspersky official blog – ​Read More

Overview

Cyble has identified multiple instances of exploitation attempts, malware intrusions, financial fraud, and brute-force attacks. The data is captured in real-time via Cyble’s comprehensive network of Honeypot sensors, providing valuable insights into the nature of cyber threats.

Cyble’s latest Sensor Intelligence report from December 4th to December 10th, 2024, provides in-depth analysis on a range of vulnerabilities, including high-profile malware variants, phishing scams, and CVE (Common Vulnerabilities and Exposures) attempts.

Cyble’s Global Sensors Intelligence (CGSI) network has detected several attack vectors, many of which target critical vulnerabilities in Internet of Things (IoT) devices and widely used software platforms.

The report covers a broad spectrum of threats, including well-known Linux malware variants such as Mirai and Gafgyt, along with exploitation attempts involving the Telerik UI and Cisco ASA. Below are some key insights into the most prevalent vulnerabilities observed during the reporting period.

Case Studies on Vulnerabilities and Exploits

1. PHP CGI Argument Injection Vulnerability (CVE-2024-4577)
   A critical vulnerability in PHP configurations has been detected, enabling attackers to execute arbitrary commands through specially crafted URL parameters. This vulnerability could lead to severe system compromise if left unpatched. Organizations are urged to patch PHP configurations and restrict access to vulnerable systems to mitigate potential exploitation.
2. OSGeo GeoServer Eval Injection Vulnerability (CVE-2024-36401)
   Cyble identified a remote code execution (RCE) vulnerability in GeoServer versions prior to 2.23.6, 2.24.4, and 2.25.2. This issue arises from the unsafe evaluation of request parameters, allowing unauthenticated users to execute arbitrary code. To mitigate the threat, the report recommends updating to the latest GeoServer versions and removing the vulnerable gt-complex library.
3. Ruby SAML Improper Signature Verification (CVE-2024-45409)
   The Ruby-SAML library, a widely used tool for implementing the client side of SAML authentication, was found to have improper cryptographic signature verification in versions 12.2 and 1.13.0 to 1.16.0. Attackers could exploit this vulnerability to forge SAML responses and gain unauthorized access to systems. Updating to Ruby-SAML versions 1.17.0 or 1.12.3 is recommended to mitigate this risk.
4. Cisco IOS XE Web UI Privilege Escalation Vulnerability (CVE-2023-20198, CVE-2023-20273)
   Cyble has reported ongoing exploitation of the web UI feature in Cisco IOS XE Software. The initial compromise occurs via the CVE-2023-20198 vulnerability, which allows attackers to gain access and escalate privileges to root. Organizations are advised to implement Cisco’s recommended patches to secure their systems.
5. Joomla Improper Access Check-in Webservice Endpoints (CVE-2023-23752)
   An improper access check vulnerability was discovered in Joomla versions 4.0.0 through 4.2.7, allowing unauthorized access to webservice endpoints. This can expose sensitive information and allow attackers to execute malicious actions. Updating Joomla to the latest version is critical for organizations using this content management system.
6. ownCloud GraphAPI Information Disclosure (CVE-2023-49103)
   A vulnerability in the ownCloud GraphAPI app can disclose sensitive system information, including environment variables, which may contain credentials and other sensitive data. To prevent data leaks, the app must be disabled or updated to the latest patched version.
7. Apache OFBiz SSRF Vulnerability (CVE-2023-50968)
   Apache OFBiz was found to have a server-side request forgery (SSRF) vulnerability that attackers could exploit to read arbitrary file properties. Upgrading to version 18.12.11 is recommended to eliminate this threat.
8. Citrix NetScaler ADC Buffer Overflow Vulnerability (CVE-2023-4966)
   Citrix NetScaler ADC and Gateway devices were found to be vulnerable to sensitive information disclosure due to a buffer overflow. This can lead to unauthorized access to internal network resources. Patch management and network monitoring are crucial to protecting against this vulnerability.

Malware and Attack Analysis

Cyble’s analysis also focuses on various malware threats observed across different regions. One notable example is the emergence of a new anti-banking Trojan called AppLite Banker. This sophisticated malware is distributed through phishing campaigns disguised as CRM applications. Once installed, it abuses Android’s Accessibility Services to overlay fake login screens on legitimate applications, tricking users into revealing their credentials.

AppLite employs advanced evasion techniques, such as manipulating APK file structures to avoid detection by static analysis tools. After installation, it can execute commands remotely, exfiltrate financial data, and even control infected devices through features like screen unlocking and interaction simulation. The malware’s global reach is further evidenced by its multilingual capabilities, making it a persistent threat to users worldwide.

CVE Attack Attempts: A Closer Look

In the past week, Cyble observed a high volume of exploit attempts targeting several CVEs. The most frequently attempted CVE was CVE-2020-11899, which saw 25,736 attack attempts. This vulnerability affects the Treck TCP/IP stack and can lead to an IPv6 out-of-bounds read. Other notable CVEs include CVE-2019-0708, a remote code execution flaw in Remote Desktop Services, and CVE-2021-44228, the infamous Log4j vulnerability, which continues to be a major vector for attacks.

Cyble’s extensive network of sensors detected these attacks and provided critical data to help organizations understand and defend against these vulnerabilities. As CVE-2020-11899 continues to be a primary target for cybercriminals, organizations are urged to patch vulnerable systems to prevent potential breaches.

Recommendations and Mitigations

To mitigate the risks highlighted in this report, Cyble recommends the following actions:

1. Regularly update software and hardware systems to patch known vulnerabilities. This includes applying updates for CVEs and software-specific flaws identified in the report.
2. Use threat intelligence feeds to block IP addresses associated with known attackers and malware distribution.
3. Enforce the use of strong passwords and implement multi-factor authentication (MFA) to reduce the risk of brute-force and credential-stuffing attacks.
4. Continuously monitor for Indicators of Compromise (IoCs), such as suspicious IP addresses, URLs, and file hashes, to detect potential attacks early.
5. Regularly audit systems, networks, and devices for vulnerabilities and misconfigurations that attackers could exploit.

Conclusion

The findings in Cyble’s Sensor Intelligence report highlight the growing sophistication and persistence of cyber threats. Through its AI-powered intelligence, Cyble provides essential insights that help organizations protect their digital assets.

With AI-powered platforms like Cyble Vision and Cyble Hawk, businesses can access real-time threat intelligence, monitor vulnerabilities, and receive automated remediation advice. Cyble’s solutions empower enterprises, governments, and individuals to stay protected from cybercriminals at all times.

The post Cyble’s Latest Sensor Intelligence Report Reveals Surge in Malware, Phishing, and IoT Vulnerabilities appeared first on Cyble.

Blog – Cyble – ​Read More

Welcome to this week’s edition of the Threat Source newsletter. 

The new head of the UK’s National Cyber Security Centre, Richard Horne, recently remarked that there is a “clearly widening gap between, on the one hand, the threat and our exposure to it and, on the other, the defences that are in place to protect us.”

To those of us working in cyber security, the threat is evident. We spend our lives following the actions of threat actors and analysing their new attacks. Our thoughts and actions are rooted in how the threat landscape is evolving. Unfortunately, this is not necessarily the case for those who decide budget allocations.

Nobody wants to suffer a breach, but often security teams are frustrated by competing budget items and the difficulties of explaining complex mitigations to people who may have different priorities and interests.

If keeping informed is one half of the solution to closing the gap, the other is in recognising that we are all human. We’re all trying to do the best that we can with the information that we have available to us. What may be perceived as irrational behaviour to one observer, may be the most obvious course of action to another with a different point of view.

Constantly explaining how threat actors are changing and how attacks are evolving is vital to ensure that organisations can maintain a good security posture. Talking about cyber security to different audiences, using the language and metaphors with which they are familiar are all part of the solution in defeating cyber attacks.

If we are to move to a world free from cyber insecurity we must close the gap between threat and defense. This will take communication and understanding, both to communicate the threat, but also to understand the constraints that decision makers work under. Yet, we also need to express and recognise the effort and sometimes heroic acts of effort that cyber security teams undertake to keep businesses running and free from breaches.

This is all the more true during the holiday period, when many engineers and analysts are monitoring systems or on-call, keeping the systems running and the lights on, so that others can enjoy the festivities. If this is you, then know that we’re thinking of you.

The one big thing 

Hiding the origin and destination of network traffic is vital for the bad guys to cover their tracks and obfuscate their actions. A malicious connection that originates from the same IP space as legitimate employees’ connections is less likely to catch the attention of security teams than one from a distant country. Similarly, exfiltrating data in small chunks to many in-country residential IP addresses is less likely to raise alarms than exfiltrating to a single address.

Cybercriminals are increasingly compromising consumer and IoT devices to build vast networks of proxy systems, enabling them to mask their activities and route malicious traffic through a global pool of hijacked IP addresses.

Why do I care?

Routing malicious traffic through otherwise unsuspicious networks makes identification and attribution of attacks difficult. Owners and operators of compromised systems recruited to act as proxies suffer from reduced performance and the theft of network and CPU resources from their systems.

So now what?

Firstly, ensure that patches are applied, and default or easy to guess credentials are changed to avoid becoming part of the problem. Apply zero-trust principles to authenticate users via MFA in the context of the time and date of the access; importantly verify that the connecting device confirms to policy and is authorised to connect to corporate systems. For full details on how to respond to this threat see the blog post.

Top security headlines of the week 

Presidential Elections in Romania hit by Cyber Campaign

The first round of the presidential election in Romania has been annulled by the country’s constitutional court following claims of a foreign influence campaign to sway the vote, and cyber-attacks targeting electoral data.

(BBC News 1 & 2)

Secure Criminal Chat System “Matrix” Disrupted by Law Enforcement

The Matrix secure communication systems which offered encrypted messaging for criminals has been taken down by law enforcement authorities with millions of messages secured for investigation. This take down follows similar success against other criminal messaging systems such as EncroChat, Sky ECC and Ghost.

(The Register)

Wanted Russian Suspected Ransomware Actor Arrested

Authorities in Russia have arrested Mikhail Matveev, an individual wanted in the US in connection with alleged participation in LockBit, Hive and Babuk ransomware attacks. The broader significance of this arrest in Russia is unclear, although it does indicate that tolerance of the actions cyber criminals located within Russia does have limits.

(SecurityWeek)

Can’t get enough Talos? 

Upcoming events where you can find Talos

Cisco Live EMEA (February 9-14, 2025)

Amsterdam, Netherlands

Most prevalent malware files from Talos telemetry over the past week  

SHA256:9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507

MD5: 2915b3f8b703eb744fc54c81f4a9c67f 

VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507

Typical Filename: VID001.exe 

Claimed Product: n/a 

Detection Name: Win.Worm.Bitmin-9847045-0

SHA256:3294df8e416f72225ab1ccf0ed0390134604bc747d60c36fbb8270f96732e341

MD5: b6bc3353a164b35f5b815fc1c429eaab

VirusTotal:

https://www.virustotal.com/gui/file/3294df8e416f72225ab1ccf0ed0390134604bc747d60c36fbb8270f96732e341

Typical Filename: b6bc3353a164b35f5b815fc1c429eaab.msi

Claimed Product: n/a 

Detection Name: Simple_Custom_Detection

SHA256:47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca

MD5: 71fea034b422e4a17ebb06022532fdde

VirusTotal: https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca

Typical Filename: VID001.exe

Claimed Product: n/a 

Detection Name: Coinminer:MBT.26mw.in14.Talos

SHA256:a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91

MD5: 7bdbd180c081fa63ca94f9c22c457376

VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91

Typical Filename: img001.exe

Claimed Product: n/a 

Detection Name: Win.Trojan.Miner-9835871-0

SHA256:3a2ea65faefdc64d83dd4c06ef617d6ac683f781c093008c8996277732d9bd66   

MD5: 8b84d61bf3ffec822e2daf4a3665308c   

VirusTotal: https://www.virustotal.com/gui/file/3a2ea65faefdc64d83dd4c06ef617d6ac683f781c093008c8996277732d9bd66/

Typical Filename: RemComSvc.exe   

Claimed Product: N/A   

Detection Name: W32.3A2EA65FAE-95.SBX.TG

Cisco Talos Blog – ​Read More

As cybersecurity threats grow more sophisticated, collaboration becomes a cornerstone of effective defense strategies. This is where MISP, an open-source threat intelligence sharing platform, comes into play.  

Recognizing its value, we are excited to announce the launch of our own MISP instance, enabling users to access and use indicators of compromise (IOCs) from ANY.RUN’s Threat Intelligence Feeds. 

What is MISP? 

MISP, which stands for Malware Information Sharing Platform, is a free, open-source platform designed to facilitate the exchange, storage, and correlation of threat intelligence data. MISP lets organizations and researchers: 

• Exchange critical data points to identify cyber threats. 
• Share signals or attributes indicating the compromise of information systems. 
• Automate the process of data sharing and find correlations between threat data. 

Benefits of ANY.RUN’s MISP Instance 

With ANY.RUN’s MISP instance, you can: 

1. Access ANY.RUN’s TI Feeds 

Receive a direct stream of the latest malicious IPs, URLs, domains, ports, file names, and hashes. These are extracted from public malware and phishing samples, including ones not found elsewhere, submitted and analyzed in ANY.RUN’s Interactive Sandbox by security professionals worldwide. IOCs are pulled from different sources, including network activities and malware configurations. 

2. Integrate It with Your Security Tools via API 

Connect your own monitoring and triage tools and systems, such as SIEM/XDR solutions, to ANY.RUN’s MISP instance via API. 

3. Improve Threat Detection  

Correlate and enrich your IOCs with ANY.RUN’s to develop a more comprehensive understanding of the threat landscape. 

4. Generate IDS Rules 

Export indicators (attributes) from ANY.RUN’s MISP instance in NIDS-compatible formats and import them in your detection tools like IDS/IPS or NGFW to improve network security of your organization and ensure proactive defense against current threats. 

5. Create Custom Workflows 

Leverage ANY.RUN’s indicators in your automated threat analysis workflows. 

6. Synchronize MISP Instances 

Synchronize your MISP instance with ANY.RUN’s to get relevant threat data. 

7. Visualize Threat Intelligence Data

Ensure a more convenient view of relevant threats by visualizing ANY.RUN’s TI Feeds data. 

8. Enrich with Your Threat Data 

Add your IOCs to the ones provided by ANY.RUN to gain a better picture of the threats at hand.

How to Integrate with ANY.RUN’s MISP Instance 

To get started with ANY.RUN’s MISP instance, simply contact our team via this page. 

You can test MISP feeds by getting a free demo sample here. 

About ANY.RUN  

ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.  

Get a 14-day free trial of ANY.RUN’s Threat Intelligence service →

The post Access and Use ANY.RUN’s TI Feeds via MISP appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

As long as we’ve had the internet, users have tried to obfuscate how and what they are connecting to. In some cases, this is to work around restrictions put in place by governments or a desire to access content that is not otherwise available in a given region.

This is why technologies like VPNs and The Onion Router (TOR) become popular: They allow users to easily access content without exposing their IP address or location. These technologies are intended to protect users and information and have done a good job of doing so. However, adversaries have taken notice and are using proxy networks for malicious activities.

Proxy Chain Services

It is important to distinguish the different proxy chain services, as there are legitimate reasons for some of them to exist. From a privacy/defender point-of-view, they can be split into the following groups:

• VPN and TOR: These services provide the user anonymity, but the defender can, for the most part, determine that it’s receiving requests from these networks. As such, there is no expectation that the origin of the connection is the exact same as the user’s physical location. The user has no control of the path or exit node location. 
• Commercial residential services: These provide anonymity to users, while at the same time allowing them to choose the exit point. These services do not provide any clues to the defender about the nature of the connection. 
• Malicious proxy services: Threat actors use these networks to hide their location and choose their exit node. These are set up to be used by malicious operators from multiple sources. They can take two shapes: The nodes are installed on leased servers from different providers in different regions, or their nodes can be compromised edge devices that bounce connections in chains.

The first group has a clear legitimate use case, and the second has been advertised as a means to measure marketing engagement. However, threat actors can also use them without the bandwidth owner understanding what is at risk. The third case is clear: The networks are built to be rented for distributed denial-of-service (DDoS) attacks or access to be sold so other actors can anonymize their activities.

History

Leveraging proxy networks for malicious purposes was something we first stumbled on with our research into Honeygain. This was one of the first times we saw technologies like proxyware being abused maliciously. 

Proxyware is a type of technology that uses agents installed by users to act as proxies for other users. The users installing these agents are typically compensated for adding their node to the proxy network. Criminals stumbled upon this quickly and began to weaponize and monetize it, allowing them to benefit from the anonymity these technologies provide since it traces back to a random computer in a random location. At the time, the focus was purely criminal in nature, but state-sponsored groups have been leveraging TOR and VPNs for decades to launch their attacks, typically dropping out of a VPN near the target.

State-sponsored groups also realize that TOR and VPNs have limitations and could potentially expose their operations, so they needed something more opaque and less traceable. Enter VPNFilter.

VPNFilter was the first large-scale proxy network leveraged by state-sponsored actors, in this case Russia. This completely changed how proxy networks were operated and would set the tradecraft for state-sponsored proxy networks for the next several years. The most unique aspect of VPNFilter was the targeting: small office and home office (SOHO) routers. 

The network was made up of SOHO routers that were being compromised with malicious firmware providing a variety of capabilities, including interception and proxy capabilities. 

This was also a fairly significant botnet, consisting of some 500,000 devices that created a massive network from which to launch attacks without repercussions. Fortunately, we worked with affected vendors, and they resolved many of the issues that were being exploited, both vulnerability and otherwise. 

This wasn’t the last time we saw Russian-aligned actors leveraging these types of botnets. A few years later, Cyclops Blink was uncovered. Another Russian actor controlled a proxy network that again primarily consisted of consumer devices. 

The targeting of consumer devices for this type of activity has become the focus of state-sponsored groups’ foray into this space. They also make excellent targets, since many users leave default configurations in place and rarely think to update their devices. Fortunately, post-VPNFilter, many vendors have switched to automatic updates, allowing for more frequent patching. This has resulted in state-sponsored groups widening their targeting. 

Today, we see not just SOHO routers, but also NAS and a variety of IoT devices being targeted and added to these networks. This problem has just gotten worse in the past several years.

State of the Art

As recently as September, the FBI took down a botnet associated with Chinese hacking activities. This was just the latest in a spate of attacks originating from proxy networks. This activity has been largely associated with Volt Typhoon by the U.S. Government, with a broader attribution of China-linked activities in the recent FBI takedown.

Currently, there are several proxy-based networks, with a focus on SOHO devices (e.g., routers, NAS, etc.) and a variety of IoT components (e.g., security cameras) being compromised and added to a botnet that, in some ways, mirrors Mirai botnet activities. 

The basic operating model for these botnets is that they are peer-to-peer, meaning there is no discernable routing. This model provides a sophisticated network of devices to obfuscate the true origin of an attack, and in many circumstances, allows the attacker to appear in close proximity to the victim, including coming from geographically adjacent residential networks. 

The attacks originating from these networks have been tied to espionage and the targeting of critical infrastructure in the U.S. and globally. Most countries are concerned with this escalation, and it has the attention of the majority of vendors in this space. 

These networks have also grown with staggering efficiency, with new nodes being added constantly as other nodes fall off and need to be compromised again. Based on reporting, the majority of these infections are using N-Day vulnerabilities or weak credentials to gain access, something we’ve seen repeatedly out of botnets like Mirai for the last decade. The major difference is that Mirai is used to conduct DDoS attacks, and the new iterations are being used to launch state-sponsored attacks with anonymity.

Network Resiliency Coalition

The repeated use of N-Day vulnerabilities and weak credentials ties into the work that Cisco has been doing for some time related to old and outdated networking equipment and the risks they introduce. The Network Resiliency Coalition is one of the projects aimed at trying to resolve this difficult problem. Anonymization networks’ reliance on networking equipment, specifically exploiting known vulnerabilities, adds more weight to the importance of this effort. By working with industry peers, Cisco is trying to help remove many of the systems that are being abused in these attacks by working with vendors to ensure proper patching is provided to mitigate these known vulnerabilities, in a timely manner.  

More projects like this that encompass the IoT industry and the non-edge SOHO appliances like NAS devices would also have a contribution to the fight against anonymization networks. This combined with better credential management, most notably ensuring that default credentials are complex and unique, could make a huge impact on how successful these networks are in continuing to grow. Vendors are working to try and resolve some of these weaknesses, but it also is paramount for defenders to take note.

Impact on Defenders

This continued focus by state-sponsored groups to leverage these networks presents problems for defenders. Attacks from these groups are likely to be coming from residential networks, potentially even from residential networks in the same cities and countries as your organization operates, making identification and attribution increasingly difficult. 

Organizations need to realize that attacks can come from anywhere, even the same IP space that your employees connect to their VPNs, so plan accordingly. 

This is further complicated by the increased focus by state-sponsored groups on the use of legitimate credentials. If you have a connection coming from the same IP space as your employees, using legitimate credentials organizations have little hope to stop it. This is where the increased focus on identity comes into play — organizations need to start taking additional steps to be able to distinguish between the illegitimate and legitimate use of credentials, and that ties back to behavior. 

Increasingly, organizations should be looking at users’ behavior when it comes to connections.

• Are they using their typical device type? (e.g., Windows desktop/MacOS laptop)
• Are they logging on during their typical hours? (e.g., 9-5 M-F)
• Are there other managed devices in proximity?
• Are they using their managed device?

This last point is a critical one. For organizations particularly concerned with credential abuse, managed device access restriction may be the best option. 

This ensures that only managed devices can connect to corporate VPNs through technologies like certificates. 

The downside to this approach is that it’s expensive, and for many organizations not practical, but for those with the budgets and the concern, it’s a needed escalation beyond just multi-factor authentication (MFA). 

You may have noticed we haven’t mentioned MFA until now. But that’s because in 2024, it’s assumed you’ve already rolled out MFA for medium to large enterprises. It is no longer an optional security feature. 

Defenders need to adjust for the state-sponsored threats they will be facing in 2024 and beyond. This means adding more identity capabilities in the near term and looking at additional security protections like managed device-only access in the future.

Cisco Talos Blog – ​Read More