“Water Barghest” Botnet Hijacks 20,000 IoT Devices for Profit
Trend Micro researchers have unveiled the operations of a sophisticated botnet, dubbed “Water Barghest.” By October 2024, this threat actor had compromised over 20,000 IoT devices, leveraging them to establish a highly automated and monetized network of residential proxies.
Water Barghest’s approach exemplifies the evolving sophistication of botnets. By exploiting known vulnerabilities, the group rapidly transforms compromised devices into lucrative assets for residential proxy marketplaces. According to the Trend Micro report: “The monetization process, from initial infection to the availability of the device as a proxy on a residential proxy marketplace, can take as little as 10 minutes, indicating a highly efficient and automated operation.”
Using public internet scan databases such as Shodan, Water Barghest pinpoints vulnerable devices. Successful exploits see the deployment of Ngioweb malware, a stealthy, memory-resident agent that registers compromised devices with command-and-control (C&C) servers.
Automation by Water Barghest: from using IoT exploits to monetizing IoT bots on a residential proxy marketplace | Image: Trend Micro
Water Barghest’s operations span the entire lifecycle of exploitation. While most vulnerabilities leveraged are well-known, the group has demonstrated the capacity to exploit zero-day vulnerabilities, such as a highly publicized Cisco IOS XE flaw in 2023. This move brought unwelcome attention to the group, with researchers attributing the operation to Water Barghest’s infrastructure. “This makes it very plausible that it was the Water Barghest group who had used the Cisco IOS XE device zero-day in October 2023,” researchers note.
Once a device is compromised, the malware tests the device’s connectivity and bandwidth to determine its market value. Within minutes, the device’s IP address appears on a residential proxy marketplace, available for cybercriminal use in activities ranging from data scraping to launching anonymized attacks.
Proxy botnets like Water Barghest serve as anonymization layers for both espionage-driven and financially motivated threat actors. They offer geolocated IP addresses ideal for bypassing restrictions, accessing compromised accounts, or staging cyberattacks. Historically, similar botnets, such as VPNFilter and Cyclops Blink, have been deployed by advanced persistent threat (APT) groups, with the FBI successfully disrupting these networks in 2018 and 2022.
The Trend Micro report underscores a growing challenge: “We expect that both the commercial market for residential proxy services and the underground market of proxies will grow in the coming years, because the demand from APT actors and cybercriminals actor groups is high.”
The Water Barghest botnet’s high level of automation, combined with the rapid monetization of infected devices, underscores the critical need for IoT security. Enterprises and individuals alike must minimize exposure to incoming internet connections, update device firmware regularly, and apply strong access controls.
The research concludes on a cautionary note: “Securing IoT devices is of paramount importance, and whenever possible, these devices should not be exposed to incoming connections from the open internet.”
