Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


12:40 PM

Cybercrime Infrastructure Never Really Dies

Despite the takedown of the "CyberBunker" threat operators in 2019, command-and-control traffic continues to report back to the defunct network address space.

Nine months after German police raided a Cold War-era bunker and shut down the group operating the cybercriminal service, command-and-control (C2) traffic and other network data continue to attempt to use the Internet address space assigned to the group, according to an analysis published by the SANS Technology Institute on Tuesday.

The analysis, part of a master's thesis, found that many telltale signs of the cybercrime operation continued to trickle in through the Internet. Much of the traffic appears to be related to potential botnet C2 servers, which could have been hosted at the operation but also includes phishing activity, pornographic content, advertising fraud, and potential signs of denial-of-service attack operations.

The analysis shows that automate cybercriminal infrastructure will continue to produce traffic and could provide defenders with information on computers infected with botnet clients and other compromised hosts, says Karim Lalji, a managing security consultant at Canadian telecommunications firm TELUS and author of the report.

"While this isn't anything new, it does astonish me how much activity is still going on almost nine months after the hosting facility was raided by law enforcement," Lalji says. "The servers were literally taken off the property and ripped apart by forensic analysts, yet there's still so much traffic."

The analysis yields interesting insight into the scale of operations of a well-known cybercriminal operation. A significant number of cybercriminal operations that used the CyberBunker services appear to have left behind their automated infrastructure, and that — despite being closed down the prior year — many continue to reach out to the shuttered service.

"One thing we tried to keep in mind is that the networks haven't been 'active' in several months, so while attempts to uncover drug market activity, stolen goods, and illicit content yielded few results, they were very likely there at some point," Lalji says. "The data also had to be sampled due to the sheer size."

The CyberBunker operated in Germany is the second such facility raided by police. In 2013, the first CyberBunker — based in Amsterdam and operated by some of the same people — was shut down by police, following extended distributed denial-of-service attacks against anti-spam coalition SpamHaus. 

The facility shut down in 2019, dubbed "CyberBunker 2.0" by the group operating the service, was based on three-acre property in the German town of Traben-Trarbach. In a massive operation, more than 650 federal police officers, including a tactical unit, raided the property in September 2019, reportedly seizing 200 servers, a variety of other technology, and cash. Seven people were arrested, and warrants were issued for another six people. The raid resulted in the shutdown of several dark-market sites, including major sellers of drugs and narcotics.

SANS gained access to the three subnets after the owner of the network sold them a hosting provider, which allowed SANS to capture traffic for analysis.

The analysis filtered out the typical "background noise" that any server connected to the Internet might encounter, including brute-force attacks, vulnerability scans, and searches for open ports. The SANS honeypot system used a network sniffer, instances of Apache web servers and FTP servers, and a firewall. 

Lalji warned that only some signs of illegal activity could be captured and that it would be difficult to come to firm conclusions as to what had been hosted on the network.

"Analyzing these requests provides strong indications about network activity but does not necessarily yield conclusive results," Lalji wrote in the report. "Additionally, the adversary group's arrests took place six months before this analysis, increasing the likelihood of a reduction in active illegal traffic in the period leading up to this examination."

One interesting finding, however, is the outsized role that sources in Brazil apparently had as customers of CyberBunker. The analysis showed that Brazil is a top source and destination of packets received by the SANS honeypot. While the volume of network data coming from Brazil put the country at the top of the list, much of the data was produced by a few large sources, Lalji says.

"While there is likely a much bigger variety, a few of the IP top talkers that have geodata associated with Brazilian IPs are associated with DNS," Lalji says. 

Other interesting aspects of the analysis include that at least one botnet using the service appeared to hide C2 traffic in Internet Relay Chat traffic passed over the Web (port 80). SANS detected traffic from more than 7,000 unique source addresses. The traffic included as part of the requests almost 2,000 computer names, the report stated.

"This type of traffic pattern is generally too precise to be human-generated," Lalji stated in the analysis. "Based on the behavior of this traffic, it is highly likely to be a result of an IRC botnet, which has traditionally been a popular technique used by adversaries."

Related Content:

Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really bad day" in cybersecurity. Click for more information and to register for this On-Demand event. 

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-08-10
A cross-site scripting (XSS) vulnerability in the Credential Manager component in SAINT Security Suite 8.0 through 9.8.20 could allow arbitrary script to run in the context of a logged-in user when the user clicks on a specially crafted link.
PUBLISHED: 2020-08-10
An SQL injection vulnerability in the Assets component of SAINT Security Suite 8.0 through 9.8.20 allows a remote, authenticated attacker to gain unauthorized access to the database.
PUBLISHED: 2020-08-10
An SQL injection vulnerability in the Analytics component of SAINT Security Suite 8.0 through 9.8.20 allows a remote, authenticated attacker to gain unauthorized access to the database.
PUBLISHED: 2020-08-10
A cross-site scripting (XSS) vulnerability in the Permissions component in SAINT Security Suite 8.0 through 9.8.20 could allow arbitrary script to run in the context of a logged-in user when the user clicks on a specially crafted link.
PUBLISHED: 2020-08-10
In MyBB before version 1.8.24, the custom MyCode (BBCode) for the visual editor doesn't escape input properly when rendering HTML, resulting in a DOM-based XSS vulnerability. The weakness can be exploited by pointing a victim to a page where the visual editor is active (e.g. as a post or Private Mes...