Takedown Bonus: APT Attackers Hurt

Tuesday, July 8, 2014 @ 06:07 PM gHale

Sometimes quite a bit of gray falls in between a clear black and white issue. Microsoft taking down the No-IP DNS server is a perfect example.

At first in all the movement about seizing free domain names in an effort to strike a fatal blow to malware delivery networks was a good thing, but the problem was in the takeover efforts, innocent people suffered.

RELATED STORIES
Microsoft Seizes Domain Names
London Teen Charged in DDoS Attacks
UT Woman Facing Embezzlement Charges
Russians Busted for iPhone Attacks

Microsoft said it was sorry for inadvertently disrupting millions of innocent Internet users when it took down the U.S.-based No-IP Internet service earlier this week to stop accused cyber criminals from Kuwait and Algeria using it to infect millions of computers worldwide with malware.

But after facing heavy criticism on forums and Twitter, Kaspersky gave Microsoft a thumbs up, saying the takedown has been hugely successful – not just stopping accused attackers Mohamed Benabdellah and Naser Al Mutairi from exploiting the Bladabindi and Jenxcus RAT malware families, but also hitting at least 25 percent of the advanced threat (APT) groups that Kaspersky is currently tracking.

In a blog post, Kaspersky Lab researcher Costin Raiu said Bladabindi and Jenxcus also see use by the Syrian Electronic Army. And Raiu said Microsoft’s action has disrupted a whole rogue’s gallery of other APT attacks, including Flame/Miniflame, Turla/Snake/Uroburos, Epic, Cycldek, Shiqiang, HackingTeam RCS customers, Banechant and Ladyoffice.
https://securelist.com/blog/events/64143/microsoft-seizes-22-no-ip-domains-disrupts-cybercriminal-and-nation-state-apt-malware-operations/

“We think yesterday’s events have dealt a major blow to many cybercriminal and APT operations around the world,” he said. “Based on our statistics, the shutdown has affected in some form at least 25 percent of the APT groups we are tracking. Some of these hosts that were previously used in large and sophisticated cyber espionage operations are now pointing to what appears to be a Microsoft sinkhole.”

Apologizing for the impact on ordinary users, David Finn, associate general counsel in Microsoft’s Digital Crimes Unit, said, “On Monday morning, Microsoft took steps to disrupt a cyber attack that surreptitiously installed malware on millions of devices without their owners’ knowledge through the abuse of No-IP, an Internet solutions service. Due to a technical error, however, some customers whose devices were not infected by the malware experienced a temporary loss of service. As of 6.00am Pacific time today (Tuesday), all service was restored. We regret any inconvenience these customers experienced.”

But No-IP, which has more than 18 million users, contradicted part of the statement saying on its website Wednesday: “Our domains are still experiencing outages due to the Microsoft takedown.”

Raiu said No-IP’s free DNS service offering is popular with cyber criminals because it enables them to register easy-to-update website host names to control their malware implants.



Leave a Reply

You must be logged in to post a comment.