Russian Botnet RSOCKS and the Dangers of Unsecured IoT

A law enforcement operation between the US, UK, Germany, and the Netherlands has successfully taken down the infrastructure of a large Russian botnet. The botnet, known as RSOCKS, is estimated to contain millions of hacked IoT devices worldwide.

Instead of targeting desktop machines with commodity malware, the hackers behind RSOCKS have changed tactics by first targeting Internet of Things (IOT) devices. IoT devices are an ideal target due in part to their poor security and lack of visibility for end users. The RSOCKS botnet is the latest in a trend of botnets actively targeting the IoT landscape.


If you’re infected by malware, it’s likely to be part of a botnet. Cybercrime has become big business, and anyone interested in making money illegally can run a botnet regardless of skill level. Botnet sellers often resell access to their hacked machines, leading to additional infections and further compromise of an infected system or network. This kind of black market proxy-selling operation is often used for credit card fraud, spam, and as plausible deniability when conducting more targeted attacks. 

RSOCKS advertised itself as an IP proxy service offering legitimate IP addresses from internet service providers (ISP). However, it was actually selling IP addresses of IoT devices hacked through the botnet. This service allows hackers to conceal their IP addresses when conducting various illicit activities. 

For RSOCKS, proxies were sold in packages. These ranged from $30 per day for access to 2,000 proxies, to $200 per day for access to 90,000 proxies, with each one coming from a compromised IoT device. The FBI estimates the number of infections at the time of ROCKS’ takedown to be 325,000 systems worldwide.


As antivirus vendors become more sophisticated, malware authors are facing a problem. Malware is being detected more quickly, with connections to botnets now measured in days rather than months or years. For RSOCKS and others in their black market industry, this rapid detection is bad for business. RSOCKS wants to provide their customers with non-attributable proxy connections from hacked machines, to facilitate illegal activity such as credit card fraud or spam. For this specific use case, machines dropping out after being detected isn’t good for them or their customer. So where’s a malware author to turn?

What if there were a platform running on most victims’ networks that had unrestricted access to the internet, often no firewall to monitor traffic, no designated antivirus solutions, and no visibility for the end user? Enter IoT devices – the next great botnet target.

IoT devices provide attackers with a treasure trove of ways to access an internal network, making them an appealing target for botnets. These smart devices have extensive security weaknesses, including default credential reuse, lack of visibility, lack of defensive tooling, and lack of an SDLC process typically used when developing these devices.

For IoT devices, the main vector for spreading malware is through the brute-forcing of default user or manufacturer passwords. Few people are aware that their DVR system has an SSH server running with admin:admin as the root login. That is, until their ISP contacts them for involvement in a DDoS attack on a game or website. These issues are inherently hard to mitigate at the device level, particularly when the device is a consumer appliance, because why would end users need to SSH in as root to their coffee machine? But this convention often leaves users with no way to change the default passwords for system services. 


Assuming a compromised system connects to your internal network somehow, how secure is your internal infrastructure? Your external attack surface may be incredibly well locked down, but once inside the network, things tend to change. There’s an assumed level of trust on the inside.

A fancy edge firewall or email gateway with “AI” phishing protection will likely stop attackers from phishing employees, and an expensive, brand new XDR solution will likely stop attackers from compromising employee endpoints. But what if the cracks are elsewhere, in say, unprotected devices?

Who’s updating that internal Jenkins server? Who’s updating that internal kanban app an employee set up 2 years ago, connected to your SSO, and has every employee using it? What about the internal portal to reset employee passwords that was written in 2008 and is still vulnerable to SQL injection?

The only real options are to put smart devices behind a firewall (preventing SSH/Telnet access from the internet) or go full zero trust. Is this ideal from a security perspective? Not entirely. An attacker could still pivot from a compromised endpoint to an IoT device within the network and launch attacks from there, even when endpoint access has been detected and blocked. The majority of “smart” appliances will never offer more than the bare minimum security by default.

It’s worth noting that while RSOCKS didn’t actually sell access to internal networks, the initial access vector they used is still viable for other attackers. RSOCKS has been taken down, but others will surely take its place. Nowadays the internet has hundreds of thousands of brute force attempts on embedded systems, mostly from script kiddies trying to grow their botnet. It’s not exactly a stretch for criminals to sell access to compromised systems if there’s money to be made.


The RSOCKS botnet is just the latest example of attackers evolving, and it’s far from an isolated incident. As attackers evolve, security standards are unfortunately falling behind. Most organizations’ perception of security is that it’s something done once to comply with auditors and forgotten about until the next audit or major security breach. While that would be easier, in reality, security is a constantly changing landscape. Attackers are moving the playing field from compromised employee endpoints to compromised routers or IoT devices, where the visibility is almost nonexistent. This means our vigilance must be on the move as well. As the attackers evolve, so too must the defenders.

Back to overview