CP
cyberpings
Threat IntelHIGH

Residential Proxies - Evaded IP Reputation Checks in 78% of Sessions

Featured image for Residential Proxies - Evaded IP Reputation Checks in 78% of Sessions
BCBleepingComputer
GreyNoiseresidential proxiesIP reputationmalicious trafficIoT botnets
🎯

Basically, residential proxies are making it hard to tell attackers from regular users online.

Quick Summary

A new study reveals that residential proxies evade IP reputation checks in 78% of cases, complicating cybersecurity efforts. This issue affects many organizations, making them vulnerable to attacks. Experts recommend focusing on behavioral patterns for better defense strategies.

What Happened

Researchers from GreyNoise have uncovered a troubling trend: residential proxies used to route malicious traffic are evading IP reputation checks in 78% of analyzed sessions. This revelation comes from a study examining 4 billion sessions over a three-month period, highlighting a significant challenge for cybersecurity defenses.

Who's Affected

The findings indicate that 39% of the sessions appear to originate from home networks, likely due to the use of residential proxies. These proxies complicate the ability of IP reputation systems to distinguish between legitimate users and attackers, making it difficult for organizations to protect themselves effectively.

What Data Was Exposed

The research reveals that 89.7% of residential IPs involved in malicious activities are active for less than a month. Only a small fraction manage to persist longer, often specializing in specific types of attacks. The data shows that most residential IPs are used only once or twice before being rotated out, making them nearly invisible to traditional detection methods.

What You Should Do

To combat this evolving threat, experts recommend shifting focus from relying solely on IP reputation to analyzing behavioral patterns. Here are some suggested actions:

  • Detect sequential probing from rotating residential IPs.
  • Block clearly illegitimate protocols, such as SMB, in ISP spaces.
  • Implement tracking of device fingerprints that can survive IP changes.

The Threat

The study highlights that residential proxies are primarily sourced from IoT botnets and infected computers. The proxies often originate from SDKs in free VPNs and ad blockers, which can inadvertently enroll user devices into bandwidth-selling schemes. This creates a complex ecosystem that attackers exploit.

Who's Behind It

Major contributors to this proxy traffic include countries like China, India, and Brazil. The traffic patterns follow human behavior, dropping significantly at night when most users turn off their devices. This human-like traffic behavior helps attackers evade detection.

Tactics & Techniques

Attackers utilize these residential proxies mainly for network scanning and reconnaissance, with only a tiny fraction involved in direct exploits. This tactic of using residential IPs adds a layer of stealth to their operations, allowing them to blend in with legitimate traffic.

Defensive Measures

Given the resilience of residential proxy networks, as evidenced by the recent disruption of IPIDEA, organizations must adapt their strategies. Even after significant disruptions, demand for proxies remains high, with other networks quickly filling the gap. Cybersecurity teams should prioritize behavioral analysis and adapt their defenses accordingly to stay ahead of these evolving tactics.

🔒 Pro insight: The reliance on IP reputation is outdated; organizations must pivot to behavior-based detection to counteract the stealth of residential proxies.

Original article from

BCBleepingComputer· Bill Toulas
Read Full Article

Share

Related Pings

HIGHThreat Intel

US-Iran War - Risks of Attacking Nuclear Sites Explained

The US-Iran conflict escalates with airstrikes on nuclear sites. While no radiation leaks are reported, the risk of safety system failures could lead to catastrophic contamination across the Gulf. Experts warn of the potential environmental and public health impacts if critical systems are compromised.

Wired Security·
HIGHThreat Intel

PHP Webshells - Cookie-Controlled Tactics in Linux Hosting

Hackers are using HTTP cookies to control PHP webshells in Linux hosting environments. This stealthy tactic reduces detection risks, posing significant threats to users. Enhanced security measures are crucial to combat this evolving threat.

Microsoft Security Blog·
HIGHThreat Intel

AI Cyberattacks - Threat Actor Abuse Accelerates Rapidly

AI is transforming cyberattacks, with threat actors achieving a 450% increase in phishing effectiveness. Organizations must adapt to this evolving landscape to safeguard their data. Microsoft is actively disrupting these operations to protect users.

Microsoft Security Blog·
HIGHThreat Intel

BPFDoor Variants Discovered - Rapid7 Research Unveils Threats

New research from Rapid7 reveals seven stealthy BPFDoor variants. These variants enhance operational security for APTs and pose significant risks to telecom infrastructures. Organizations must adapt their defenses to counter these evolving threats.

Rapid7 Blog·
HIGHThreat Intel

Software Supply Chain Hacks - Wave of Data Theft Unleashed

A series of software supply chain attacks linked to North Korean hackers has triggered significant data theft. Organizations worldwide are affected, raising concerns about future intrusions and ransomware threats. Immediate action is needed to safeguard sensitive information.

Help Net Security·
HIGHThreat Intel

NCSC Issues Security Alert Over WhatsApp and Signal Hacks

The NCSC has alerted the public about rising attacks on WhatsApp and Signal accounts, primarily targeting high-risk individuals. Russian hackers are linked to these incidents, raising significant security concerns. It's crucial to stay informed and adopt protective measures to safeguard sensitive information.

Infosecurity Magazine·