Threat Intelligence

4/25/2017
05:00 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

INTERPOL Operation Sweeps Up Thousands of Cybercrime Servers Used for Ransomware, DDoS, Spam

Massive public-private 'cyber surge' in Asia identifies hundreds of compromised websites in operation that spans multiple cybercriminal groups, activities.

An INTERPOL-led investigation in the Association of Southeast Asian Nations (ASEAN) region has led to the discovery of some 9,000 command-and-control servers, hundreds of infected websites, and the identification of several suspects running phishing websites.

INTERPOL this week announced that a public-private operation run from its INTERPOL Global Complex for Innovation (IGCI) combined cybercrime investigation operations out of Indonesia, Malaysia, Myanmar, Philippines, Singapore, Thailand and Vietnam, as well as threat intelligence from Trend Micro, Kaspersky Lab, Cyber Defense Institute, Booz Allen Hamilton, British Telecom, Fortinet, and Palo Alto Networks. The result: the discovery of some 270 infected websites including those of some government agencies, as well as the identification of several phishing website operators and some 8,800 C&C servers used to target financial institutions, and for spreading ransomware, spam and launching distributed denial-of-service (DDoS) attacks.

The investigators say the operation is a first step in taking down various cybercriminal operations in that region of Asia. Law enforcement agencies from the ASEAN nations are still investigating the nabbed C&C servers and attempting to identify the bad guys behind them.

The sweep likely has ensnared multiple cybercrime groups and operations, and some but not all of the compromised websites and servers have been cleaned up or taken offline. The operation wasn't focused on taking down the C&C servers, but rather, identifying them for further investigation. Nor did it target any particular botnets or hosting providers.

"This was a series of operations undertaken by the countries involved," an INTERPOL spokesperson told Dark Reading. "However, the participating countries are still investigating the specific nature and degree of the command and control servers, including whether the servers are currently active and if any criminal actors can be identified."

INTERPOL and its investigation partners have kept many of the details of their findings under wraps, but among the infected websites were some government agency sites that investigators say could have exposed personal data of citizens. One of the phishing website operators found has links to Nigeria, and investigators found a cybercriminal out of Indonesia selling phishing kits via the Dark Web.

Bakuei Matsukawa, a Trend Micro researcher who works with the INTERPOL IGCI, says his firm found 40 live phishing sites; 454 live dating scam sites; 66 tech support scam sites; 119 malware-hosting sites; six keylogger dropzone sites; and weight-loss and other scam sites. "[Law enforcement] picked up several cases that they are interested [in] for their investigation" via the so-called "cyber surge," Matsukawa says.

"The main objectives of the operation is to enhance LE's capability for cybercrime investigation. This operation supports the global use of threat intelligence for cybercrime investigation and highlights the importance of cooperation with private sectors through the operation," he says.

Derek Manky, security strategist at Fortinet, says the compromised websites found in the INTERPOL sweep were hacked via SQL injection, phishing, and other common site weaknesses."This operation is notable because of the international cooperation between private and public organizations to help educate local law enforcement on methods to proactively identify common cybercriminal tactics so they can mitigate damages," he says. "This is just the first step, with future plans to perform periodic health checks in the regions to gauge for reductions in cybercrime over the long term."

Kaspersky Lab says a WordPress plug-in attack hit thousands of websites in the ASEAN region, including those of government agencies, universities, NGOs, and businesses. Attackers exploited the flaw to inject malware into more than 5,000 legitimate Web pages worldwide, redirecting victims to ads for counterfeit products. The firm says it contributed to the investigation the list of the nearly 9,000 malicious C&C servers.

Disruption of cybercrime operations, of course, typically is only temporary. "Any takedown has a negative effect, albeit temporarily, on the group behind it. It has long been the priority of Trend Micro to assist [law enforcement] with arrest and prosecution as the main priority – as that has a much more lasting impact on the underground," says Bob McArdle, EMEA manager of Trend Micro's Forward-Looking Threat Research team. "However, a balance has to be struck between making shorter-term gains in terms of protecting potential victims, versus the long game of apprehending those behind the attacks. Our focus will remain on assisting building cases for arrests – but we do think this action will cause some criminal groups headaches for a while."

According to INTERPOL Eurasian cybercrime working group chairman Francis Chan, who also heads up the Hong Kong Police Force’s cybercrime unit, the cybercrime sweep helped the participating nations gain experience in these types of investigations.

"For many of those involved, this operation helped participants identify and address various types of cybercrime which had not previously been tackled in their countries," said Chan, who is chief superintendent at INTERPOL. "It also enabled countries to coordinate and learn from each other by handling real and actionable cyber intelligence provided by private companies via INTERPOL, and is a blueprint for future operations."

[Check out the two-day Dark Reading Cybersecurity Crash Course at Interop ITX, May 15 & 16, where Dark Reading editors and some of the industry's top cybersecurity experts will share the latest data security trends and best practices.]

Related Content:

 

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
White House Cybersecurity Strategy at a Crossroads
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/17/2018
The Fundamental Flaw in Security Awareness Programs
Ira Winkler, CISSP, President, Secure Mentem,  7/19/2018
Number of Retailers Impacted by Breaches Doubles
Ericka Chickowski, Contributing Writer, Dark Reading,  7/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-14492
PUBLISHED: 2018-07-21
Tenda AC7 through V15.03.06.44_CN, AC9 through V15.03.05.19(6318)_CN, and AC10 through V15.03.06.23_CN devices have a Stack-based Buffer Overflow via a long limitSpeed or limitSpeedup parameter to an unspecified /goform URI.
CVE-2018-3770
PUBLISHED: 2018-07-20
A path traversal exists in markdown-pdf version <9.0.0 that allows a user to insert a malicious html code that can result in reading the local files.
CVE-2018-3771
PUBLISHED: 2018-07-20
An XSS in statics-server <= 0.0.9 can be used via injected iframe in the filename when statics-server displays directory index in the browser.
CVE-2018-5065
PUBLISHED: 2018-07-20
Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 and earlier, and 2015.006.30418 and earlier versions have a Use-after-free vulnerability. Successful exploitation could lead to arbitrary code execution in the context of the current user.
CVE-2018-5066
PUBLISHED: 2018-07-20
Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 and earlier, and 2015.006.30418 and earlier versions have an Out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.