IPIDEA, one of the largest residential proxy networks used by threat actors, was disrupted earlier this week by Google Threat Intelligence Group (GTIG) in collaboration with industry partners.
The action included taking down domains associated with IPIDEA services, infected device management, proxy traffic routing. Additionally, intelligence has been shared on the IPIDEA software development kits (SDK) that distributed the proxying tool.
The operators of IPIDEA advertised it as a VPN service that "encrypts your online traffic and hides your real IP address," used by 6.7 million users worldwide.
Residential proxy networks use home user or small business IP addresses to route traffic after compromising devices on the network. Typically, the infection occurs through trojanized apps and software posing as useful utilities.
In a court letter, Google explains that threat actors use residential proxies in various malicious activities, such as account takeovers, fake account creation, credential theft, and sensitive information exfiltration.
"By routing traffic through an array of consumer devices all over the world, attackers can mask their malicious activity by hijacking these IP addresses. This generates significant challenges for network defenders to detect and block malicious activities," Google says in a report today.
In the case of IPIDEA, GTIG observed a range of malicious activity, with more than 550 distinct threat groups using its exit nodes in a single week, including actors from China, Iran, Russia, and North Korea.
The observed activities included access to victim SaaS platforms, password spraying, botnet control, and infrastructure obfuscation. Previously, Cisco Talos linked IPIDEA to large-scale brute-forcing attacks targeting VPN and SSH services.
IPIDEA infrastructure also supported record-breaking DDoS botnets such as Aisuru and Kimwolf.
Google says IPIDEA enrolled devices using at least 600 trojanized Android apps that embedded proxying SDKs (Packet SDK, Castar SDK, Hex SDK, Earn SDK), and over 3,000 trojanized Windows binaries posing as OneDriveSync or Windows Update.
... continue reading