TMCnet News
'CyberBunker' Malicious Activity Continues Months After Police Raid, SANS Technology Institute's Internet Storm Center Research FindsBETHESDA, Md., June 23, 2020 /PRNewswire/ -- SANS Technology Institute, a college known for its cutting-edge cybersecurity research, has been able to show that victims continue to reach out to IP address space used by threat actor "CyberBunker" months after the organization was taken down in a raid. In the fall of 2019, German police raided a Cold War-era nuclear bunker that was being used by CyberBunker, an organization selling bullet-proof hosting services for various criminal activities. In April, 2020, The SANS Technology Institute's (SANS.edu) Internet Storm Center was able to obtain access to the IP address space used by CyberBunker, and over the course of two weeks, collected and analyzed traffic destined for addresses used by CyberBunker. As part of his work for a master's degree in Information Security Engineering with SANS.edu, student Karim Lalji analyzed the traffic and today publishes a new paper. Through his analysis, Karim Lalji identified several botnets and thousands of hosts infected with malware that continue to reach out to the now-defunct command and control servers that formerly were hosted by CyberBunker. In some cases, it was possible to identify encrypted command and control channels and link them to specific malware families. "Thanks to the great collaboration that made access to the IP address space possible, and Karim's analysis of the large amounts of data, we gained insight into how a criminal network service provider operates and the breath of services offered by them," says Dr. Johannes Ullrich, SANS fellow and Dean of Research at the SANS Technology Institute. "Criminal enterprises today have their own supply chain with network providers like CyberBunker providing critical hosting services that are difficult to terminate." The analysis additionally uncovered phishing sites still receiving traffic that attempted to impersonate the Royal Bank of Canada, Apple, and PayPal, among others. An ad network that was potentially used to place malicious ads on websites was found to continue to reach out to the CyberBunker address space to load ads. "Working on this project was a great experience, as it provided insight into a real-life hostile network," says Karim Lalji, SANS.edu student and paper author. "Seeing so many compromised hosts continuing to call home several months after the seizure by law enforcement was a real eye opener, and hopefully the findings will help the information security community as a whole."/p>
Additional Resources Read the Internet Storm Center Diary post, "Cyberbunker 2.0: Analysis of the Remnants of a Bullet Proof Hosting Provider" by Karim Lalji About the SANS Technology Institute About SANS Institute
View original content:http://www.prnewswire.com/news-releases/cyberbunker-malicious-activity-continues-months-after-police-raid-sans-technology-institutes-internet-storm-center-research-finds-301081938.html SOURCE SANS Technology Institute |