CenturyLink Discover New Phase of TheMoon IoT Botnet Targeting ISPs

CenturyLink threat researchers found a new module of IoT botnet “TheMoon,” which targets vulnerabilities in routers within broadband networks. This previously undocumented module allows the botnet to be leveraged as a service by other attackers. CenturyLink Threat Research Labs first came across the modular botnet when its team discovered several IoT devices performing credential brute force attacks on multiple websites, according to a report about TheMoon. Mike Benjamin, head of CenturyLink’s Threat Research Lab, said they witnessed multiple credential stuffing victims while they were monitoring the botnet. He doesn’t want to name the victims, but said “account credentials were successfully used through TheMoon’s proxy environment to access multiple consumer brand websites.” The research comes as botnets are on the rise — IoT botnet activity represented 78 percent of malware detection events in communication service provider networks in 2018, according to Nokia’s most recent threat report. And these types of attacks will likely become even worse in 2019.