FBI seizes NetNut domain with Google's help after links found to Popa botnet

The Federal Bureau of Investigation (FBI) just took serious action against hundreds of domains associated with a residential proxy service called NetNut, which is operated by Israeli company Alarum Technologies. It comes after multiple security firms found a connection between NetNut and the Popa botnet, with more than two million devices being compromised by malicious software.

Following the action by the FBI, NetNut’s homepage was replaced with a seizure notice from the FBI and the Internal Revenue Service Criminal Investigation division. The notice also carries the logos of Google, Lumen, and Shadowserver, who helped the FBI take down domains tied to the Popa botnet.

According to the Google Threat Intelligence Group (GTIG), the NetNut proxy network was being resold and white-labeled by other proxy providers. Cybercriminals would use these services to hide the source of their malicious traffic.

GTIG said that malicious actors used NetNut to hide their IP addresses when entering victims’ environments, accessing their own infrastructure, or conducting password spray attacks. It also said that when a consumer device becomes an exit node, unauthorized network traffic passes through it, allowing bad actors to access other private devices on the same home networks and exposing them to internet threats.

Google helped the FBI by disabling Google accounts and services used by NetNut for malware command-and-control. It also shared technical intelligence that it had about NetNut’s software development kits and backend infrastructure. Google also disables apps that bundle NetNut’s SDKs.

Alarum Technologies, a publicly traded company that owns NetNut, said that it knows about the seizure and is working with investigators to ensure those who misused its infrastructure are “thoroughly investigated, and those responsible are held to account.”

One major vector for the Popa botnet to affect your devices is dodgy no-name TV streaming boxes. Google recommends sticking to name brands from reputable manufacturers and then being careful about what apps you install. It also says that you should check if your TV box uses the official Android TV OS and has Play Protect certification.

Source: KrebsOnSecurity

Report a problem with article
Next Article

Fedora 45 could get Shadow Stack support to prevent ROP attacks

Previous Article

Meta is working on a social media app for vibe-coded games