general · BleepingComputer
Google and law enforcement, including the FBI, disrupted NetNut (also known as Popa), a residential proxy botnet estimated to control at least two million compromised devices globally, including smart TVs and streaming boxes. The network was powered by trojanized applications and botnets such as Badbox 2.0 that packaged proxy plugins. According to Google's Threat Intelligence Group, the botnet was used by hundreds of threat actors, including cybercriminal and espionage groups, to conceal malicious traffic by routing it through victims' residential IP addresses. The FBI seized the domain netnut.com and other associated domains. Google disabled command-and-control accounts and services on its infrastructure used by NetNut operators and disabled infected applications through Google Play Protect on Android devices.
Organizations handling connected devices and IoT deployments should recognize that compromised residential proxies enable attackers to obscure infrastructure reconnaissance, credential attacks, and lateral movement—tactics directly relevant to supply-chain and network-segmentation controls under CMMC, NIST 800-171, and SOC2 audits. Defense contractors and SaaS providers managing external-facing services should review whether residential proxy traffic has been involved in password-spraying or unauthorized access attempts against their own environments. Healthcare and fintech organizations subject to HIPAA and PCI DSS should audit logs for suspicious outbound patterns or unusual IP geolocation shifts that could indicate compromised intermediaries. An Omniware engagement can scope detection rules, network monitoring baselines, and incident response procedures to identify and respond to such proxy-based threats.
Source: BleepingComputer - https://www.bleepingcomputer.com/news/security/netnut-proxy-network-disrupted-2-million-infected-devices-cut-off/
Source: BleepingComputer
All briefings