Threat Intelligence

4/25/2017
05:00 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

INTERPOL Operation Sweeps Up Thousands of Cybercrime Servers Used for Ransomware, DDoS, Spam

Massive public-private 'cyber surge' in Asia identifies hundreds of compromised websites in operation that spans multiple cybercriminal groups, activities.

An INTERPOL-led investigation in the Association of Southeast Asian Nations (ASEAN) region has led to the discovery of some 9,000 command-and-control servers, hundreds of infected websites, and the identification of several suspects running phishing websites.

INTERPOL this week announced that a public-private operation run from its INTERPOL Global Complex for Innovation (IGCI) combined cybercrime investigation operations out of Indonesia, Malaysia, Myanmar, Philippines, Singapore, Thailand and Vietnam, as well as threat intelligence from Trend Micro, Kaspersky Lab, Cyber Defense Institute, Booz Allen Hamilton, British Telecom, Fortinet, and Palo Alto Networks. The result: the discovery of some 270 infected websites including those of some government agencies, as well as the identification of several phishing website operators and some 8,800 C&C servers used to target financial institutions, and for spreading ransomware, spam and launching distributed denial-of-service (DDoS) attacks.

The investigators say the operation is a first step in taking down various cybercriminal operations in that region of Asia. Law enforcement agencies from the ASEAN nations are still investigating the nabbed C&C servers and attempting to identify the bad guys behind them.

The sweep likely has ensnared multiple cybercrime groups and operations, and some but not all of the compromised websites and servers have been cleaned up or taken offline. The operation wasn't focused on taking down the C&C servers, but rather, identifying them for further investigation. Nor did it target any particular botnets or hosting providers.

"This was a series of operations undertaken by the countries involved," an INTERPOL spokesperson told Dark Reading. "However, the participating countries are still investigating the specific nature and degree of the command and control servers, including whether the servers are currently active and if any criminal actors can be identified."

INTERPOL and its investigation partners have kept many of the details of their findings under wraps, but among the infected websites were some government agency sites that investigators say could have exposed personal data of citizens. One of the phishing website operators found has links to Nigeria, and investigators found a cybercriminal out of Indonesia selling phishing kits via the Dark Web.

Bakuei Matsukawa, a Trend Micro researcher who works with the INTERPOL IGCI, says his firm found 40 live phishing sites; 454 live dating scam sites; 66 tech support scam sites; 119 malware-hosting sites; six keylogger dropzone sites; and weight-loss and other scam sites. "[Law enforcement] picked up several cases that they are interested [in] for their investigation" via the so-called "cyber surge," Matsukawa says.

"The main objectives of the operation is to enhance LE's capability for cybercrime investigation. This operation supports the global use of threat intelligence for cybercrime investigation and highlights the importance of cooperation with private sectors through the operation," he says.

Derek Manky, security strategist at Fortinet, says the compromised websites found in the INTERPOL sweep were hacked via SQL injection, phishing, and other common site weaknesses."This operation is notable because of the international cooperation between private and public organizations to help educate local law enforcement on methods to proactively identify common cybercriminal tactics so they can mitigate damages," he says. "This is just the first step, with future plans to perform periodic health checks in the regions to gauge for reductions in cybercrime over the long term."

Kaspersky Lab says a WordPress plug-in attack hit thousands of websites in the ASEAN region, including those of government agencies, universities, NGOs, and businesses. Attackers exploited the flaw to inject malware into more than 5,000 legitimate Web pages worldwide, redirecting victims to ads for counterfeit products. The firm says it contributed to the investigation the list of the nearly 9,000 malicious C&C servers.

Disruption of cybercrime operations, of course, typically is only temporary. "Any takedown has a negative effect, albeit temporarily, on the group behind it. It has long been the priority of Trend Micro to assist [law enforcement] with arrest and prosecution as the main priority – as that has a much more lasting impact on the underground," says Bob McArdle, EMEA manager of Trend Micro's Forward-Looking Threat Research team. "However, a balance has to be struck between making shorter-term gains in terms of protecting potential victims, versus the long game of apprehending those behind the attacks. Our focus will remain on assisting building cases for arrests – but we do think this action will cause some criminal groups headaches for a while."

According to INTERPOL Eurasian cybercrime working group chairman Francis Chan, who also heads up the Hong Kong Police Force’s cybercrime unit, the cybercrime sweep helped the participating nations gain experience in these types of investigations.

"For many of those involved, this operation helped participants identify and address various types of cybercrime which had not previously been tackled in their countries," said Chan, who is chief superintendent at INTERPOL. "It also enabled countries to coordinate and learn from each other by handling real and actionable cyber intelligence provided by private companies via INTERPOL, and is a blueprint for future operations."

[Check out the two-day Dark Reading Cybersecurity Crash Course at Interop ITX, May 15 & 16, where Dark Reading editors and some of the industry's top cybersecurity experts will share the latest data security trends and best practices.]

Related Content:

 

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Companies Blindly Believe They've Locked Down Users' Mobile Use
Dawn Kawamoto, Associate Editor, Dark Reading,  11/14/2017
Microsoft Word Vuln Went Unnoticed for 17 Years: Report
Kelly Sheridan, Associate Editor, Dark Reading,  11/14/2017
121 Pieces of Malware Flagged on NSA Employee's Home Computer
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/16/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Managing Cyber-Risk
An online breach could have a huge impact on your organization. Here are some strategies for measuring and managing that risk.
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.