Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

6/23/2020
12:40 PM
50%
50%

Cybercrime Infrastructure Never Really Dies

Despite the takedown of the "CyberBunker" threat operators in 2019, command-and-control traffic continues to report back to the defunct network address space.

Nine months after German police raided a Cold War-era bunker and shut down the group operating the cybercriminal service, command-and-control (C2) traffic and other network data continue to attempt to use the Internet address space assigned to the group, according to an analysis published by the SANS Technology Institute on Tuesday.

The analysis, part of a master's thesis, found that many telltale signs of the cybercrime operation continued to trickle in through the Internet. Much of the traffic appears to be related to potential botnet C2 servers, which could have been hosted at the operation but also includes phishing activity, pornographic content, advertising fraud, and potential signs of denial-of-service attack operations.

The analysis shows that automate cybercriminal infrastructure will continue to produce traffic and could provide defenders with information on computers infected with botnet clients and other compromised hosts, says Karim Lalji, a managing security consultant at Canadian telecommunications firm TELUS and author of the report.

"While this isn't anything new, it does astonish me how much activity is still going on almost nine months after the hosting facility was raided by law enforcement," Lalji says. "The servers were literally taken off the property and ripped apart by forensic analysts, yet there's still so much traffic."

The analysis yields interesting insight into the scale of operations of a well-known cybercriminal operation. A significant number of cybercriminal operations that used the CyberBunker services appear to have left behind their automated infrastructure, and that — despite being closed down the prior year — many continue to reach out to the shuttered service.

"One thing we tried to keep in mind is that the networks haven't been 'active' in several months, so while attempts to uncover drug market activity, stolen goods, and illicit content yielded few results, they were very likely there at some point," Lalji says. "The data also had to be sampled due to the sheer size."

The CyberBunker operated in Germany is the second such facility raided by police. In 2013, the first CyberBunker — based in Amsterdam and operated by some of the same people — was shut down by police, following extended distributed denial-of-service attacks against anti-spam coalition SpamHaus. 

The facility shut down in 2019, dubbed "CyberBunker 2.0" by the group operating the service, was based on three-acre property in the German town of Traben-Trarbach. In a massive operation, more than 650 federal police officers, including a tactical unit, raided the property in September 2019, reportedly seizing 200 servers, a variety of other technology, and cash. Seven people were arrested, and warrants were issued for another six people. The raid resulted in the shutdown of several dark-market sites, including major sellers of drugs and narcotics.

SANS gained access to the three subnets after the owner of the network sold them a hosting provider, which allowed SANS to capture traffic for analysis.

The analysis filtered out the typical "background noise" that any server connected to the Internet might encounter, including brute-force attacks, vulnerability scans, and searches for open ports. The SANS honeypot system used a network sniffer, instances of Apache web servers and FTP servers, and a firewall. 

Lalji warned that only some signs of illegal activity could be captured and that it would be difficult to come to firm conclusions as to what had been hosted on the network.

"Analyzing these requests provides strong indications about network activity but does not necessarily yield conclusive results," Lalji wrote in the report. "Additionally, the adversary group's arrests took place six months before this analysis, increasing the likelihood of a reduction in active illegal traffic in the period leading up to this examination."

One interesting finding, however, is the outsized role that sources in Brazil apparently had as customers of CyberBunker. The analysis showed that Brazil is a top source and destination of packets received by the SANS honeypot. While the volume of network data coming from Brazil put the country at the top of the list, much of the data was produced by a few large sources, Lalji says.

"While there is likely a much bigger variety, a few of the IP top talkers that have geodata associated with Brazilian IPs are associated with DNS," Lalji says. 

Other interesting aspects of the analysis include that at least one botnet using the service appeared to hide C2 traffic in Internet Relay Chat traffic passed over the Web (port 80). SANS detected traffic from more than 7,000 unique source addresses. The traffic included as part of the requests almost 2,000 computer names, the report stated.

"This type of traffic pattern is generally too precise to be human-generated," Lalji stated in the analysis. "Based on the behavior of this traffic, it is highly likely to be a result of an IRC botnet, which has traditionally been a popular technique used by adversaries."

Related Content:

 
 
 
 
Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really bad day" in cybersecurity. Click for more information and to register for this On-Demand event. 

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/17/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-8225
PUBLISHED: 2020-09-18
A cleartext storage of sensitive information in Nextcloud Desktop Client 2.6.4 gave away information about used proxies and their authentication credentials.
CVE-2020-8237
PUBLISHED: 2020-09-18
Prototype pollution in json-bigint npm package < 1.0.0 may lead to a denial-of-service (DoS) attack.
CVE-2020-8245
PUBLISHED: 2020-09-18
Improper Input Validation on Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11....
CVE-2020-8246
PUBLISHED: 2020-09-18
Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11.2 before 11.2.1a, Citrix SD-W...
CVE-2020-8247
PUBLISHED: 2020-09-18
Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11.2 before 11.2.1a, Citrix SD-W...