Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Microsoft, FBI Trumpet Citadel Botnet Takedowns

Joint operation is first in which law enforcement and private sector use civil seizure warrant to disrupt massive malware attack.

The Syrian Electronic Army: 9 Things We Know
(click image for larger view)
The Syrian Electronic Army: 9 Things We Know
Microsoft and FBI Wednesday announced that in a joint operation, they took down over 1,000 Citadel botnets that were being used to control millions of malware-infected PCs.

Over the past 18 months, authorities believe the botnets stole over $500 million from consumer and business bank accounts, infecting more than 5 million PCs located in 90 countries, including the United States, Australia, Hong Kong, India and large parts of Western Europe.

The takedown began last week, when Microsoft filed a civil lawsuit against the botnet "herders" running 1,463 Citadel botnets. Using a court-ordered seizure request and working with U.S. Marshalls, Microsoft employees seized servers from two hosting facilities in New Jersey and Philadelphia and provided information about the botnets to overseas Computer Emergency Response Teams (CERTs), requesting that they target related command-and-control infrastructure. The FBI simultaneously provided related information to its overseas law enforcement counterparts.

[ Zeus is back with a vengeance. Here's how to protect yourself and your business. Zeus Malware Returns, Targets SMBs. ]

A related complaint, unsealed Wednesday, charged a "John Doe" who uses the alias "Aquabox" with being the mastermind behind the botnet gang and managing a group of over 80 "botnet herders" around the world who controlled groups of Citadel-infected PCs.

While Microsoft has previously participated in seven botnet takedowns, this operation marks the first time that law enforcement and the private sector have worked together in this way to execute a civil seizure warrant as part of a botnet disruption operation, according to a blog post by Richard Domingues Boscovich, assistant general counsel for Microsoft's digital crimes unit.

As with many types of malware, Citadel used malicious code to not only infect PCs but also resist attempts to remove it. "During our investigation we found that Citadel blocked victims' access to many legitimate anti-virus/anti-malware sites, making it so people may not have been able to easily remove this threat from their computer," said Boscovich. "However, with the disruptive action, victims should now be able to access these previously blocked sites."

According to Microsoft, the gang behind the Citadel botnets infected PCs in part by selling pirated versions of the Windows XP operating system that they'd pre-infected with the malware.

The Citadel takedown was a joint effort involving not just Microsoft and the FBI, but also U.S. Marshals Service. In addition, the Financial Services Information Sharing and Analysis Center (FS-ISAC), the Electronic Payments Association (NACHA) and the American Bankers Association (ABA) supported Microsoft's civil lawsuit by detailing how the botnets had been used to steal online banking credentials and execute fraudulent transactions. Likewise, security firm Agari detailed how the botnets had been built -- in part -- via phishing emails disguised to look like communications from legitimate financial services firms.

The FBI said this Citadel botnet takedown was part of a larger effort, coordinated by the National Cyber Investigative Joint Task Force (NCIJTF), which is targeting botnet creators and distributors.

Will this takedown have a permanent impact on the number of Citadel botnets in operation? "Due to Citadel's size and complexity, we do not expect to fully take out all of the botnets in the world using the Citadel malware," said Microsoft's Boscovich. "However, we do expect that this action will significantly disrupt Citadel's operation, helping quickly release victims from the threat and making it riskier and more costly for the cybercriminals to continue doing business."

Still, the takedown may serve as only a temporary setback for Aquabox's gang. "While it's good to see botnets like Citadel being shut down, without arrests I feel we are simply treating symptoms rather than the disease," tweeted Brian Honan, CEO of the Irish Reporting and Information Security Service, which is Ireland's CERT.

But FBI assistant executive director Richard McFeely said the bureau is working with its overseas counterparts to identify the people responsible as part of an already "fairly advanced" criminal probe. "We are upping the game in our level of commitment in going after botnet creators and distributors," McFeely told Reuters. "This is a more concerted effort to engage our foreign partners to assist us in identifying, locating and -- if we can -- get U.S. criminal process on these botnet creators and distributors."

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
US Turning Up the Heat on North Korea's Cyber Threat Operations
Jai Vijayan, Contributing Writer,  9/16/2019
MITRE Releases 2019 List of Top 25 Software Weaknesses
Kelly Sheridan, Staff Editor, Dark Reading,  9/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "He's too shy to invite me out face to face!"
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15138
PUBLISHED: 2019-09-20
The html-pdf package 2.2.0 for Node.js has an arbitrary file read vulnerability via an HTML file that uses XMLHttpRequest to access a file:/// URL.
CVE-2019-6145
PUBLISHED: 2019-09-20
Forcepoint VPN Client for Windows versions lower than 6.6.1 have an unquoted search path vulnerability. This enables local privilege escalation to SYSTEM user. By default, only local administrators can write executables to the vulnerable directories. Forcepoint thanks Peleg Hadar of SafeBreach Labs ...
CVE-2019-6649
PUBLISHED: 2019-09-20
F5 BIG-IP 15.0.0, 14.1.0-14.1.0.6, 14.0.0-14.0.0.5, 13.0.0-13.1.1.5, 12.1.0-12.1.4.1, 11.6.0-11.6.4, and 11.5.1-11.5.9 and Enterprise Manager 3.1.1 may expose sensitive information and allow the system configuration to be modified when using non-default ConfigSync settings.
CVE-2019-6650
PUBLISHED: 2019-09-20
F5 BIG-IP ASM 15.0.0, 14.1.0-14.1.0.6, 14.0.0-14.0.0.5, 13.0.0-13.1.1.5, 12.1.0-12.1.4.1, 11.6.0-11.6.4, and 11.5.1-11.5.9 may expose sensitive information and allow the system configuration to be modified when using non-default settings.
CVE-2014-10396
PUBLISHED: 2019-09-20
The epic theme through 2014-09-07 for WordPress allows arbitrary file downloads via the file parameter to includes/download.php.