Taking the Red Pill Down the Rabbit Hole

I’ve been contemplating a title for this post for a long time, eventually I decided to merge two of my favorites (and leave the third alone: looking for the cuckoo’s egg). Basically, after a couple of weeks of almost nonstop work on a major research project (hence the relatively quiet blog), and some major news outbreak following this research (1, 2, 3, 4, 5, 6, 7, 8, 9, and more…), it’s time for a quick recap and a preview.

Recap: so, we saw that Neosploit was back, even after the group’s demise in July, we clearly saw that its activity has not subsided and that a build, dated August, is pretty much active and doing its rounds on the net (see older post). We didn’t just sit there trying to watch where the server would go next (which it did in fact – from Argentine to sunny Florida), but also had the chance to do some digging around it, and take a peek into one of the largest cybercrime operations uncovered in the wild, considering the fact that it is being run from a single server.

You are probably familiar with the numbers; over 200,000 credentials to servers around the world (mainly focused on western Europe and the US), tons of back-end applications that the criminals used to manage their operations, and even a brief encounter with a person logged on to the server… (for that, you’ll have to wait for our monthly threat report!).

As part of this activity, CERT has been working days and nights to help us contact all the affected parties. These guys are amazing! They’ve been sorting through the data and figuring out how to communicate securely with the 86 different countries affected is a major operation, (in addition to handling law enforcement communications in the US), so huge kudos to them (you know who I’m referring to NI…).

Nevertheless, we are talking about hundreds of thousands of compromised credentials – we never imagine these could all be contacted by law enforcement or the local CERTs and CSIRTs, so we have set up a page on our site where all you have to do is enter some basic contact info and the domain in your responsibility, and we’ll check to see if they have been compromised or not. Spam free, no commitments – just because we are nice 😉

The preview, well, the heaps of data that we managed to pull from the criminal server is going to make for quite an interesting read on our next monthly threat report, so stay tuned and watch our brand new AIRC homepage for updates! As I mentioned, backend applications and even a look through the peeping hole to see the attackers on the other side.

That’s it for this time, I’m off to get ready for my talk at BlueHat later this week (more info is also available here).

2 thoughts on “Taking the Red Pill Down the Rabbit Hole

Leave a Reply