Vulnerabilities / Threats // Advanced Threats
7/3/2014
09:20 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Microsoft's Seizure Of No-IP Domains Disrupted Criminals & Innocents Alike

Microsoft successfully disrupted roughly one-quarter of the APT actors Kaspersky monitors, but took down millions of innocent hostnames too.

UPDATE: As of Thursday afternoon, all seized domains are now back in the possession of No-IP. Original story:

Researchers at Kaspersky say that Microsoft's takeover of 22 No-IP dynamic DNS servers hit the Syrian Electronic Army and other cybercrime groups hard, but it also disrupted innocent users' business in the process. Microsoft says the trouble is resolved. No-IP says it isn't. An apparently-unrelated DDoS attack on the No-IP.com website hit Tuesday, adding to the trouble.

Last month the US District Court of Nevada granted the Microsoft Digital Crimes Unit authority to seize control of the domains as part of an effort to cease or disrupt the operations of several major criminal groups that use No-IP domains. As Richard Domingues Boscovich, assistant general counsel of Microsoft's Digital Crimes Unit, explained, "Our research revealed that out of all Dynamic DNS providers, No-IP domains are used 93 percent of the time for Bladabindi-Jenxcus infections, which are the most prevalent among the 245 different types of malware currently exploiting No-IP domains."

Monday, Microsoft seized control of the domains, but due to a "technical error," legitimate No-IP customers who were not associated with malicious activity were also denied service. According to No-IP, "Millions of hostnames have gone dark and millions of our users have been put out of service."

Microsoft acknowledged the mistake in a statement Tuesday from David Finn, executive director and associate general counsel for the Digital Crimes Unit. He said:

Yesterday [Monday] morning, Microsoft took steps to disrupt a cyber-attack that surreptitiously installed malware on millions of devices without their owners’ knowledge through the abuse of No-IP, an Internet solutions service. Due to a technical error, however, some customers whose devices were not infected by the malware experienced a temporary loss of service. As of 6 a.m. Pacific time today [Tuesday], all service was restored. We regret any inconvenience these customers experienced.

Yet later Tuesday No-IP tweeted that it was still receiving complaints from customers whose sites were down.

Meanwhile, the No-IP website was brought down by a DDoS attack. The company informed customers of the attack via Twitter midday Tuesday, and followed up, stating, "Please note the DDOS attack was only directed at our website, not to our DNS infrastructure."

Wednesday afternoon the company tweeted that some hostnames were starting to resolve again and released a message from CEO Dan Durrer, which stated:

We have been throwing everything we have at getting you back online with the least possible delay. For legal reasons, we have been restricted from reaching out to you, but we simply cannot stay quiet any longer. We are very close to a resolution and we will update you with more information as soon as we can.

Many voices in the security community have come out in protest of the actions taken by Microsoft and the court, stating that they are heavy-handed and set a dangerous precedent that could allow private companies to take control of another company's IT infrastructure whenever they decide it is beneath their own standards of quality.

Those criticisms notwithstanding, the shutdown has achieved its aim, according to Kaspersky Lab's Costin Raiu. In a blog post Tuesday, he stated: "Based on our statistics, the shutdown has affected in some form at least 25% of the [advanced persistent threat (APT)] groups we are tracking."

In addition to Bladabindi and Jenxcus, which he said have been used by multiple hacktivist and criminal groups, including the Syrian Electronic Army, Raiu said that Microsoft's actions disrupted a number of other APTs' operations, including Flame and Snake.

"We think [Monday's] events have dealt a major blow to many cybercriminal and APT operations around the world," said Raiu. "In the future, we can assume these groups will be more careful on using Dynamic DNS providers and rely more often on hacked websites and direct IP addresses to manage their C&C infrastructure."

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
7/9/2014 | 5:18:03 PM
Re: Universal Standards
I think I should have rephrased the question, I wasn't certain to the services that no IP provided. I understand the need for Dynamic DNS but now that you have clarified that that's what No IP provides the situation became clearer. Thanks,
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
7/8/2014 | 8:49:42 AM
Re: broken link
@SgS125  Thanks for letting us know! I've fixed the link now.
SgS125
50%
50%
SgS125,
User Rank: Moderator
7/7/2014 | 4:03:00 PM
broken link
Your link to kaspersky is broken.

http://securelist.com/en/blog/208214339/Microsoft_seizes_22_NO_IP_domains_disrupts_cybercriminal_and_nation_state_APT_malware_operations
securityaffairs
100%
0%
securityaffairs,
User Rank: Ninja
7/7/2014 | 11:11:27 AM
Re: Universal Standards
@Ryan there are many legitimate uses for Dynamic DNS services, consider, for example the vast amount of IoT that is in every home and that have to be remotely controlled despite the owners haven't a fixed public IP. It is very common for video surveillance ...

 
Andre Leonard
50%
50%
Andre Leonard,
User Rank: Strategist
7/7/2014 | 10:51:11 AM
Good job..
You cannot please all the people all the time. But you can please most of the people, most of the time. The best interests of the internet community were serevd here. 

It's sad but necessary due to the increasing number of people who cannot be trusted.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
7/6/2014 | 1:19:19 PM
Universal Standards
I think that two things need to be considered here.

First, I agree it was heavy handed that Microsoft's actions had the ability to affect other private companies whose standards were less astringent than their own. But shouldn't we have a set of universal standards that need to be adhered to privately from a security perspective? This would establish a baseline and at last allow uniformity which might help in needed cases of creation and troubleshooting for third parties.

Second, and this is also a question I am posing. What is the purpose of utilizing no IP? What are the benefits from a non-malicious standpoint? Thanks!
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3409
Published: 2014-10-25
The Ethernet Connectivity Fault Management (CFM) handling feature in Cisco IOS 12.2(33)SRE9a and earlier and IOS XE 3.13S and earlier allows remote attackers to cause a denial of service (device reload) via malformed CFM packets, aka Bug ID CSCuq93406.

CVE-2014-4620
Published: 2014-10-25
The EMC NetWorker Module for MEDITECH (aka NMMEDI) 3.0 build 87 through 90, when EMC RecoverPoint and Plink are used, stores cleartext RecoverPoint Appliance credentials in nsrmedisv.raw log files, which allows local users to obtain sensitive information by reading these files.

CVE-2014-4623
Published: 2014-10-25
EMC Avamar 6.0.x, 6.1.x, and 7.0.x in Avamar Data Store (ADS) GEN4(S) and Avamar Virtual Edition (AVE), when Password Hardening before 2.0.0.4 is enabled, uses UNIX DES crypt for password hashing, which makes it easier for context-dependent attackers to obtain cleartext passwords via a brute-force a...

CVE-2014-4624
Published: 2014-10-25
EMC Avamar Data Store (ADS) and Avamar Virtual Edition (AVE) 6.x and 7.0.x through 7.0.2-43 do not require authentication for Java API calls, which allows remote attackers to discover grid MCUser and GSAN passwords via a crafted call.

CVE-2014-6151
Published: 2014-10-25
CRLF injection vulnerability in IBM Tivoli Integrated Portal (TIP) 2.2.x allows remote authenticated users to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.