This incident is rated CRITICAL due to the wide scale of compromised devices and the severity of crimes facilitated by this proxy service. Real-world exploitability is high as evidenced by extensive criminal activity. Patches exist for some vulnerabilities, but many systems may remain unpatched.
The SocksEscort proxy service was powered by the AVrecon botnet targeting routers and IoT devices to facilitate cybercrimes including DDoS attacks and ransomware. Affected are approximately 1,200 device models from manufacturers such as Cisco, D-Link, Hikvision, MicroTik, Netgear, TP-Link, and Zyxel.
Affected Systems
- Cisco routers
- D-Link routers
- Hikvision cameras
- MicroTik routers
- Netgear routers
- TP-Link devices
- Zyxel routers
Affected Versions: All versions before security patches were applied, particularly those with known vulnerabilities such as Remote Code Execution (RCE) and command injection.
Remediation
- Update firmware to the latest version for each affected device model.
- Apply firewall rules to block unauthorized access to administrative interfaces.
- Change default passwords and use strong authentication mechanisms.
Stack Impact
This impacts routers, IoT devices, and possibly any services that rely on unsecured network connections.