Water Barghest, a sophisticated cybercriminal group, has been actively exploiting vulnerabilities in Internet of Things (IoT) devices to establish a profitable proxy botnet. By October 2024, the group had successfully compromised over 20,000 IoT devices, leveraging automated scripts to locate vulnerable devices through public internet scan databases like Shodan. Once these devices are identified, Water Barghest deploys Ngioweb malware, which runs in memory and registers the infected devices as proxies. The entire operation, from identifying a vulnerable device to monetizing it as a proxy, takes as little as 10 minutes, highlighting the group’s automation and efficiency.
The group’s operations are largely automated, allowing them to scale their botnet and continue generating income with minimal human intervention. After identifying and exploiting a vulnerable IoT device, Water Barghest uses a set of data-center IPs to execute exploits and infect the target device. The malware then connects to a command-and-control server, receives instructions, and registers the compromised device as a residential proxy. This process is designed for rapid deployment, ensuring that Water Barghest can quickly turn compromised devices into income-generating assets.
Water Barghest’s success in maintaining a steady income from this botnet is due in large part to the high level of automation they have implemented. Using 17 virtual private servers (VPS), the group continuously scans for vulnerabilities in routers and IoT devices, uploads the Ngioweb malware, and keeps the botnet operational. This model has allowed Water Barghest to sustain its operations over several years, remaining under the radar of security researchers and law enforcement while steadily profiting from its activities.
The group’s careful operational security has kept them out of the limelight, but a few missteps have recently brought attention to their activities. One notable error was the use of a zero-day vulnerability in Cisco IOS XE devices in October 2023, which affected thousands of routers. This exploit triggered security industry interest, ultimately leading to the discovery of Water Barghest’s botnet infrastructure. Despite this slip-up, the group’s ability to exploit IoT vulnerabilities and automate the monetization process remains a potent threat to the cybersecurity landscape.
