Police shut down the biggest DDoS-for-hire service (webstresser.org) and arrested its administrators

Police shut down the biggest DDoS-for-hire service (webstresser.org) and arrested its administrators

The European police have shut down webstresser.org, the world’s biggest DDoS-for-hire service, that allowed crooks to launch over 4 million attacks.

An international operation dubbed conducted by the European law enforcement agencies led by the UK’s National Crime Agency (NCA) and the Dutch Police, with the help of Europol, has taken down the world’s biggest DDoS-for-hire service.

The operation dubbed Power Off allowed to shut down the biggest DDoS-for-hire service  (webstresser.org) and arrest its administrators, according to the investigators the platform was involved in over 4 million attacks and arrested its administrators.

The police arrested 6 members of the crime group behind the ‘webstresser.org website in Scotland, Croatia, Canada, and Serbia on Tuesday.

The Europol confirmed that Webstresser.org had 136,000 registered users and was used to target online services from banks, government institutions, police forces and the gaming world.

“The administrators of the DDoS marketplace webstresser.org were arrested on 24 April 2018 as a result of Operation Power Off, a complex investigation led by the Dutch Police and the UK’s National Crime Agency with the support of Europol and a dozen law enforcement agencies from around the world.” reads the press release published by the Europol. 

“Webstresser.org was considered the world’s biggest marketplace to hire Distributed Denial of Service (DDoS) services, with over 136 000 registered users and 4 million attacks measured by April 2018.”

DDoS-for-hire service allows criminals without specific technical skills to launch powerful cyber attacks by renting their service.

DDoS-for-hire service

“Stressed websites make powerful weapons in the hands of cybercriminals,” said Jaap van Oss, Dutch chairman of the Joint Cybercrime Action Taskforce.

“International law enforcement will not tolerate these illegal services and will continue to pursue its admins and users,”

The service was shuttered and the police seized the hacking platform, the Europol announced “further measures” were also taken against the top users in the above four countries, as well as in Italy, Australia, Hong Kong and Spain.

Registered user on Webstresser.org could access the DDoS-for-hire service an entry fee of €15 per month.

“We have a trend where the sophistication of certain professional hackers to provide resources is allowing individuals – and not just experienced ones – to conduct DDoS attacks and other kind of malicious activities online”, said Steven Wilson, Head of Europol’s European Cybercrime Centre (EC3). “It’s a growing problem, and one we take very seriously. Criminals are very good at collaborating, victimising millions of users in a moment form anywhere in the world. We need to collaborate as good as them with our international partners to turn the table on these criminals and shut down their malicious cyberattacks.”

Abusing legitimate booter services or using a DDoS-for-hire service is a crime, the Europol remarked that penalties can be severe.

“DDoS attacks are illegal. Many IT enthusiasts get involved in seemingly low-level fringe cybercrime activities, unaware of the consequences that such crimes carry. The penalties can be severe: if you conduct a DDoS attack, or make, supply or obtain stresser or booter services, you could receive a prison sentence, a fine or both.” concluded the Europol.

Orangeworm cyber espionage group target Healthcare organizations worldwide

Orangeworm cyber espionage group target Healthcare organizations worldwide

Symantec researchers have monitored the activity of a cyber espionage group tracked as Orangeworm that targets organizations in the healthcare sector.

Security experts at Symantec have published a report on the activity of a cyber espionage group tracked as Orangeworm that targets healthcare organizations.

“Symantec has identified a previously unknown group called Orangeworm that has been observed installing a custom backdoor called Trojan.Kwampirs within large international corporations that operate within the healthcare sector in the United States, Europe, and Asia.” states the report published by Symantec.

“First identified in January 2015, Orangeworm has also conducted targeted attacks against organizations in related industries as part of a larger supply-chain attack in order to reach their intended victims.”

Orangeworm was first spotted in January 2015, it appears to be focused on the healthcare industry, 40% of the targets belong to this industry


Experts spotted spam campaigns delivering XTRAT and DUNIHI backdoors bundled with the Adwind RAT

Experts spotted spam campaigns delivering XTRAT and DUNIHI backdoors bundled with the Adwind RAT

Security experts at Trend Micro have spotted spam campaigns delivering XTRAT and DUNIHI Backdoors and Loki malware bundled with the Adwind RAT.

Malware researchers at Trend Micro have uncovered a spam campaign that delivers the infamous Adwind RAT (aka jRAT) alongside the XTRAT backdoor (aka XtremeRAT) and the Loki info stealer. In a separate Adwind RAT spam campaign, the researchers observed the use of the VBScript with backdoor tracked as DUNIHI.

Both campaigns abuse the legitimate free dynamic DNS server hopto[.]org.

“Notably, cybercriminals behind the Adwind-XTRAT-Loki and Adwind-DUNIHI bundles abuse the legitimate free dynamic DNS server hopto[.]org.” reads the analysis published by Trend Micro. “The delivery of different sets of backdoors is believed to be a ploy used to increase the chances of system infection: If one malware gets detected, the other malware could attempt to finish the job.”

The experts detected 5,535 unique infections of Adwind between January 1 and April 17, most of them in the US, Japan, Australia, Italy, Taiwan, Germany, and the U.K.Adwind RAT detections

Crooks behind the Adwind, XTRAT, and Loki used weaponized RTF document that triggers the CVE-2017-11882 vulnerability to deliver the Adwind, XTRAT, and Loki bundles.

Below the attack chain:

Adwind RAT detections 2

“The dropped files are effective RATs with multiple backdoor capabilities, anti-VM, anti-AV, and are highly configurable. Notably, Adwind and XTRAT connect to the same C&C server: junpio70[.]hopto[.]org.” continues the analysis.

Adwind is a cross-platform Java backdoor that has been observed in the wild since 2013. XTRAT shares similar capabilities with Adwind, it also implements features to control both device camera and microphone.

Loki was known as a password and cryptocurrency wallet stealer well-known in the cybercrime ecosystem.

The experts also observed Adwind bundled with DUNIHI backdoor, attackers used a JAR dropper that ships a VBS dropper delivered via spam mail. The VBS dropper download and execute both DUNIHI and Adwind.

DUNIHi connects to pm2bitcoin[.]com:62103, while the Adwind/jRAT variant contacts the badnulls[.]hopto[.]org:3011.

Experts suggest a multilayered approach to security when dealing with a cross-platform threat like Adwind.

“IT administrators should regularly keep networks and systems patched and updated.”

“Both variants of Adwind arrive via email, so it is imperative to secure the email gateway to mitigate threats that abuse email as an entry point to the system and network.” concluded Trend Micro.

“Businesses should commit to training employees, review company policies, and develop good security habits.” 

Law enforcement arrested the head of the Carbanak gang that stole 1 billion from banks

Law enforcement arrested the head of the Carbanak gang that stole 1 billion from banks

The head of the crime ring behind the Carbanak gang that since 2013 targeted banks worldwide has been arrested in Spain.

The mastermind suspected of stealing about £870m (€1bn) in a bank cyber heist has been arrested in Spain.

The man is suspected to be the kingpin of the crime ring behind the Carbanak gang that since 2013 targeted banks worldwide with the homonym malware and the Cobalt malicious code.

The leader of the crime gang behind the Carbanak and Cobalt malware attacks targeting over a 100 financial institutions worldwide has been arrested in Alicante, Spain, after a complex investigation conducted by the Spanish National Police, with the support of Europol, the US FBI, the Romanian, Belarussian and Taiwanese authorities and private cyber security companies.” reads the official announcement from the Europol. “Since 2013, the cybercrime gang have attempted to attack banks, e-payment systems and financial institutions using pieces of malware they designed, known as Carbanak and Cobalt. The criminal operation has struck banks in more than 40 countries and has resulted in cumulative losses of over EUR 1 billion for the financial industry. The magnitude of the losses is significant: the Cobalt malware alone allowed criminals to steal up to EUR 10 million per heist.”

The operation that allowed to arrest the head of the gang was conducted by the Europol, the FBI, along with cyber-security firms and law enforcement agencies in Spain, Romania, Belorussia and Taiwan.
In early 2016
, the Carbanak gang target banks and financial institutions, mainly in the US and the Middle East.The Carbanak gang was first discovered by Kaspersky Lab in 2015. the group has stolen arounbd 1 billionn from 100 financial institutions.

In November 2016, experts at Trustwave uncovered a new campaign launched by the group targeting organizations in the hospitality sector.

In January 2017, the Carbanak gang started using Google services for command and control (C&C) communication.

The arrest was the result of one of the most important investigations conducted by the European authorities.

“This global operation is a significant success for international police cooperation against a top level cybercriminal organisation. The arrest of the key figure in this crime group illustrates that cybercriminals can no longer hide behind perceived international anonymity.” said Steven Wilson, Head of Europol’s European Cybercrime Centre (EC3). “This is another example where the close cooperation between law enforcement agencies on a worldwide scale and trusted private sector partners is having a major impact on top level cybercriminality.”

Which is the Carbanak modus operandi?

The infection started with a classic spear phishing attack that allowed Carbanak cybergang to compromise banks’ computer systems. The malicious emails included a link that once clicked triggered the download of the malware.

The malicious code was used by the hackers of the Carbanak cybergang to gather information on the targeted bank, for example, to find employees who were in charge of cash transfer systems or ATMs. In a second phase of the attacks, the hackers installed a remote access tool (RAT) to control the machines of those employees. With this tactic the Carbanak cybergang collected imagines of victims’ screens and study what their daily activity in the bank. At this point, the hackers were able to remotely control the ATMs to dispense money or transfer money to fake accounts.

Carbanak cybergang NYT

“The bank’s internal computers, used by employees who process daily transfers and conduct bookkeeping, had been penetrated by malware that allowed cybercriminals to record their every move. The malicious software lurked for months, sending back video feeds and images that told a criminal group — including Russians, Chinese and Europeans — how the bank conducted its daily routines, according to the investigators.

Then the group impersonated bank officers, not only turning on various cash machines, but also transferring millions of dollars from banks in Russia, Japan, Switzerland, the United States and the Netherlands into dummy accounts set up in other countries.” reported the New York Times