Comcast’s Proactive Cyber Defense Activities

David R. White, VP Security Engineering, Karim Mahrous, Exec Director Cybersecurity Engineering, Noopur Davis, Global CISO

We live in a world where daily life runs on converged networks, blending data, voice, and video with ever-increasing counts of devices and volumes of usage. Consequentially, attacks on those systems and their underlying networks are rapidly multiplying. Our network at Comcast supports over 30 million broadband subscribers with their over 1 billion customer devices. Comcast operates the largest converged network in the United States, serving as a vital component of our Nation's critical infrastructure-supporting homes, businesses, and the backhaul of internet traffic.

As such, Comcast is always implementing new ways to improve our defenses. We created the Comcast Threat Research Lab (CTRL) to help detect and uncover systemic, large-scale threats. These threats seek to exploit both subscriber-owned devices and Comcast's infrastructure to launch, broker, and amplify cyberattacks. The CTRL team utilizes Comcast's Security Data Fabric to constantly search for threats across the internet. And this effort has produced surprising results. While the team initially expected to find widespread bandwidth theft, what they discovered was more nuanced: millions of micro-abuses that individually consume trivial bandwidth but collectively reveal a far more concerning pattern-sophisticated, concealed, and constantly evolving attack networks operating at scale.

These attack networks are hiding in plain sight. They are advertised on the internet with domain names, and they accept credit cards and bitcoin. YouTube videos and Reddit posts hail these networks as ways to earn "Beer Money" or side income. They are commonly referred to as "Residential Proxies"¹ or "ResProxies.". ResProxies are applications running on devices connected to subscriber IP addresses, which route external traffic through the proxied device from one location to a different location, which effectively masks the originator of the internet traffic by hiding in normal residential and business internet traffic.

While ResProxies can be used for societally positive activities such as supporting journalistic integrity by keeping sources anonymous, they are more commonly used for more malicious activities. In particular, ResProxies appear to more commonly be used to hide individuals' efforts to flout content protections (e.g., evading blackouts of sporting event broadcasts or bypassing geographic restrictions) to watch streaming content in blocked regions. Although content owners have raised alarms about these practices, ResProxies have largely flown under the radar for years, except in the occasional law enforcement coordinated takedowns², such as RSOCKS, 5SOCKS or the 911 proxy . Our work suggests that a closer look is in order.

ResProxies can be installed in a variety of ways-some with the user's consent (though even in these cases, the user often doesn't know what exactly they're consenting to), and in many cases without their knowledge. Common methods include:

• Offering payments or incentives to users who voluntarily install the proxy software (e.g., through "Beer Money" programs);
• Tricking users into installing the software unknowingly;
• Using malware to force installation; and
• Bundling the proxy service into unrelated software, such as gaming apps or pirated streaming tools, without informing the user.

Once installed, these proxies connect to online resellers who promote access to proxy networks based on location, internet service provider, and connection quality. The proxy is then rented out to paying customers, often with little to no oversight. As noted above, these customers use ResProxies to disguise their internet traffic, making it appear as if it's coming from a typical home user.

We studied and began to understand the depth to which these proxy networks are being used, how they were constructed, and how they are morphing and shifting. In partnership with other service providers, technology companies, and law enforcement, Comcast validated its findings on how these networks were being used to launch password spraying attacks, exfiltrate stolen data, and hide a multitude of criminal activity.

We discovered how common devices such as cell phones, home computers, and streaming devices can be co-opted into larger proxy networks to support this covert activity. A key finding was that not all the nodes in a proxy network are engaged all the time. The active nodes of the proxy network move over time, just like migrating herds of caribou or buffalo, to avoid detection and remain anonymous. Our CTRL team adopted the term "herds" to describe these morphing groups of nodes in the proxy networks. A more detailed discussion of these herds, how they move, and how they are utilized will be the subject of a forthcoming CTRL publication.

Additionally, we found that in some cases users had no knowledge of the infection on their devices with the proxy service, while in other cases, they actively knew about it but did not understand that their participation was problematic, both under applicable terms of service and, more critically, because of the type of malicious traffic running through their devices and home internet.

While the CTRL team now has improved visibility into these emerging threats, our ability to mitigate them remains constrained. These threats originate from devices that fall outside Comcast's ownership and management, limiting our capacity to take direct action. However, where possible, we are taking concrete steps to help combat this activity. For example, we recently discovered that about two million devices from a major streaming device provider have been co-opted into residential proxy service. CTRL began working with the vendor of these devices, who has since taken action to make it more difficult for ResProxies to run on its devices. CTRL validated that these proxy networks were used in a recent major nation state cyber-attack, demonstrating that the harms enabled by this infrastructure go well beyond watching content without paying. Indeed, ResProxies have become a popular cyber-attack framework for nation states and criminals alike.

Comcast's capabilities to identify emerging threats such as ResProxies are providing a better experience for our customers and helping defend the Nation's critical infrastructure. We stand ready to continue our partnerships with federal and state law enforcement agencies and other providers. Together we can make a difference.

¹ The word "residential" in the name "residential proxies" can be a misnomer - as the proxies can exist on devices in residential, business, institutional, and other types of premises.

² https://www.justice.gov/usao-sdca/pr/russian-botnet-disrupted-international-cyber-operation

³ https://www.justice.gov/archives/opa/pr/911-s5-botnet-dismantled-and-its-administrator-arrested-coordinated-international-operation