The Kimwolf botnet has infected over two million devices globally by exploiting a critical vulnerability in residential proxy networks, allowing attackers to bypass home and corporate firewalls. These proxy networks consist of devices—often compromised by bundled malware—that forward internet traffic for paying customers. Kimwolf's operators discovered that by manipulating DNS settings, they could send requests through these proxies directly to devices on the internal networks of the proxy endpoints.
The botnet primarily targets insecure, unofficial Android TV boxes and digital photo frames, many of which are pre-infected with proxy malware or have critical diagnostic tools like Android Debug Bridge (ADB) enabled by default. This allows for unauthenticated remote access. Security researcher Benjamin Brundage traced the campaign's rapid growth to the abuse of IPIDEA, the world's largest residential proxy network, which inadvertently allowed traffic to tunnel back into local area networks.
Once inside a local network, the malware automatically scans for and compromises vulnerable devices, turning them into bots for DDoS attacks, ad fraud, and data theft. Although IPIDEA has since patched the vulnerability, the incident reveals a systemic threat: seemingly harmless devices on a home network can become gateways for large-scale attacks. Consumers are advised to avoid unofficial streaming devices and isolate guest devices on separate networks to limit their exposure.
Read more...