Threat Intelligence

4/25/2017
05:00 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

INTERPOL Operation Sweeps Up Thousands of Cybercrime Servers Used for Ransomware, DDoS, Spam

Massive public-private 'cyber surge' in Asia identifies hundreds of compromised websites in operation that spans multiple cybercriminal groups, activities.

An INTERPOL-led investigation in the Association of Southeast Asian Nations (ASEAN) region has led to the discovery of some 9,000 command-and-control servers, hundreds of infected websites, and the identification of several suspects running phishing websites.

INTERPOL this week announced that a public-private operation run from its INTERPOL Global Complex for Innovation (IGCI) combined cybercrime investigation operations out of Indonesia, Malaysia, Myanmar, Philippines, Singapore, Thailand and Vietnam, as well as threat intelligence from Trend Micro, Kaspersky Lab, Cyber Defense Institute, Booz Allen Hamilton, British Telecom, Fortinet, and Palo Alto Networks. The result: the discovery of some 270 infected websites including those of some government agencies, as well as the identification of several phishing website operators and some 8,800 C&C servers used to target financial institutions, and for spreading ransomware, spam and launching distributed denial-of-service (DDoS) attacks.

The investigators say the operation is a first step in taking down various cybercriminal operations in that region of Asia. Law enforcement agencies from the ASEAN nations are still investigating the nabbed C&C servers and attempting to identify the bad guys behind them.

The sweep likely has ensnared multiple cybercrime groups and operations, and some but not all of the compromised websites and servers have been cleaned up or taken offline. The operation wasn't focused on taking down the C&C servers, but rather, identifying them for further investigation. Nor did it target any particular botnets or hosting providers.

"This was a series of operations undertaken by the countries involved," an INTERPOL spokesperson told Dark Reading. "However, the participating countries are still investigating the specific nature and degree of the command and control servers, including whether the servers are currently active and if any criminal actors can be identified."

INTERPOL and its investigation partners have kept many of the details of their findings under wraps, but among the infected websites were some government agency sites that investigators say could have exposed personal data of citizens. One of the phishing website operators found has links to Nigeria, and investigators found a cybercriminal out of Indonesia selling phishing kits via the Dark Web.

Bakuei Matsukawa, a Trend Micro researcher who works with the INTERPOL IGCI, says his firm found 40 live phishing sites; 454 live dating scam sites; 66 tech support scam sites; 119 malware-hosting sites; six keylogger dropzone sites; and weight-loss and other scam sites. "[Law enforcement] picked up several cases that they are interested [in] for their investigation" via the so-called "cyber surge," Matsukawa says.

"The main objectives of the operation is to enhance LE's capability for cybercrime investigation. This operation supports the global use of threat intelligence for cybercrime investigation and highlights the importance of cooperation with private sectors through the operation," he says.

Derek Manky, security strategist at Fortinet, says the compromised websites found in the INTERPOL sweep were hacked via SQL injection, phishing, and other common site weaknesses."This operation is notable because of the international cooperation between private and public organizations to help educate local law enforcement on methods to proactively identify common cybercriminal tactics so they can mitigate damages," he says. "This is just the first step, with future plans to perform periodic health checks in the regions to gauge for reductions in cybercrime over the long term."

Kaspersky Lab says a WordPress plug-in attack hit thousands of websites in the ASEAN region, including those of government agencies, universities, NGOs, and businesses. Attackers exploited the flaw to inject malware into more than 5,000 legitimate Web pages worldwide, redirecting victims to ads for counterfeit products. The firm says it contributed to the investigation the list of the nearly 9,000 malicious C&C servers.

Disruption of cybercrime operations, of course, typically is only temporary. "Any takedown has a negative effect, albeit temporarily, on the group behind it. It has long been the priority of Trend Micro to assist [law enforcement] with arrest and prosecution as the main priority – as that has a much more lasting impact on the underground," says Bob McArdle, EMEA manager of Trend Micro's Forward-Looking Threat Research team. "However, a balance has to be struck between making shorter-term gains in terms of protecting potential victims, versus the long game of apprehending those behind the attacks. Our focus will remain on assisting building cases for arrests – but we do think this action will cause some criminal groups headaches for a while."

According to INTERPOL Eurasian cybercrime working group chairman Francis Chan, who also heads up the Hong Kong Police Force’s cybercrime unit, the cybercrime sweep helped the participating nations gain experience in these types of investigations.

"For many of those involved, this operation helped participants identify and address various types of cybercrime which had not previously been tackled in their countries," said Chan, who is chief superintendent at INTERPOL. "It also enabled countries to coordinate and learn from each other by handling real and actionable cyber intelligence provided by private companies via INTERPOL, and is a blueprint for future operations."

[Check out the two-day Dark Reading Cybersecurity Crash Course at Interop ITX, May 15 & 16, where Dark Reading editors and some of the industry's top cybersecurity experts will share the latest data security trends and best practices.]

Related Content:

 

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Weaponizing IPv6 to Bypass IPv4 Security
John Anderson, Principal Security Consultant, Trustwave Spiderlabs,  6/12/2018
'Shift Left' & the Connected Car
Rohit Sethi, COO of Security Compass,  6/12/2018
Why CISOs Need a Security Reality Check
Joel Fulton, Chief Information Security Officer for Splunk,  6/13/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10617
PUBLISHED: 2018-06-18
Delta Electronics Delta Industrial Automation DOPSoft version 4.00.04 and prior utilizes a fixed-length heap buffer where a value larger than the buffer can be read from a .dpa file into the buffer, causing the buffer to be overwritten. This may allow remote code execution or cause the application t...
CVE-2018-10621
PUBLISHED: 2018-06-18
Delta Electronics Delta Industrial Automation DOPSoft version 4.00.04 and prior utilizes a fixed-length stack buffer where a value larger than the buffer can be read from a .dpa file into the buffer, causing the buffer to be overwritten. This may allow remote code execution or cause the application ...
CVE-2018-10623
PUBLISHED: 2018-06-18
Delta Electronics Delta Industrial Automation DOPSoft version 4.00.04 and prior performs read operations on a memory buffer where the position can be determined by a value read from a .dpa file. This may cause improper restriction of operations within the bounds of the memory buffer, allow remote co...
CVE-2015-4664
PUBLISHED: 2018-06-18
An improper input validation vulnerability in CA Privileged Access Manager 2.4.4.4 and earlier allows remote attackers to execute arbitrary commands.
CVE-2018-9021
PUBLISHED: 2018-06-18
An authentication bypass vulnerability in CA Privileged Access Manager 2.8.2 and earlier allows remote attackers to execute arbitrary commands with specially crafted requests.