Two strikes by FBI: multiple botnets disrupted in anti-fraud op; two indicted for £24m Iranian SamSam ransomware campaign

News by Tony Morbin

FBI successes: Botnet manipulating 1.7 million IPs in US and Europe taken down, and separately two Iranians indicted in US for SamSam ransomware extortion against US and Canadian victims.

An advertising fraud ring that used a 700,000 desktop botnet in the US and Europe to generate some £24 million in fraudulent ad revenue through bogus traffic has been taken down by the FBI.

Meanwhile, a US federal grand jury in Newark, New Jersey indicted two Iranian nationals, Mohammad Mehdi Shah Mansouri and Farmarz Shahi Savandi for a 34 month long hacking and extortion scheme run from Iran using SamSam ransomware which they wrote. It is alleged that since December 2015 to pair encrypted the data on some 200 victims - such as municipalities and hospitals in the US and Canada, causing them £24 million of damage, while gaining almost £5 million in extorted Bitcoin.

US assistant attorney general Brian A Benczkowski described the indictment as the first of its kind, calling the accused 21st century digital blackmailers. Executive assistant director Amy S Hess of the FBI added, "This indictment demonstrates the FBI’s continuous commitment to unmasking malicious actors behind the world’s most egregious cyber-attacks." The attacks, the most recent of which was 25 September 2018, crippled the businesses of their victims, as the attackers intended.

Commenting on the development, Kimberly Goody, manager, cyber crime analysis at FireEye emailed SC Media UK to say:  "FireEye has tracked SamSam activity dating back to late 2015, impacting organisations across multiple industry verticals. Notably, the indictment highlights numerous healthcare and government organisations that have been targeted. It is possible that the operators chose to target these organisations since they provide critical services and believed their likelihood of paying was higher as a result.

One of the starkest deviations between SamSam operations and traditional ransomware is the departure from more traditional infection vectors. While indiscriminate targeting is still heavily relied on by other actors likely to bolster operational scalability, there has been an increasing number of threat actors actively engaged in, more "targeted" attacks in which ransomware is deployed post-compromise. In our SamSam investigations, we observed activity consistent with that noted in the indictment including the exploitation of external servers as well as updates to their initial infection vectors over time. Deploying ransomware post-compromise also allows attackers the ability to better understand victim environments and to both deploy ransomware payloads more broadly and to identified high value systems – putting additional pressure on organisations to pay.

"It is also important to note that while the actors named in the indictment are associated with the SamSam ransomware, this may just be their most lucrative operation. We have some evidence to suggest that they were investigating the possibility of stealing card payment data, and we have also seen the deployment of cryptocurrency miners in victim environments.

"The impact that these indictments will have is unclear since the individuals are purportedly located in Iran and remain at large. "

Dmitri Alperovitch, CTO at CrowdStrike also emailed SC on the issue and add: "One of the most important steps taken towards achieving effective cyber-deterrence is the attribution of cyber-attacks and holding the perpetrators accountable, as we witnessed today by the announcement of the US Department of Justice, indicting the perpetrators of SamSam ransomware.

"CrowdStrike researchers have been tracking Iranian hacking groups for the past decade and have reported on the continued growth in the sophistication of their tradecraft, leveraging cyber capabilities for conducting disruptive attacks, cyber-recognisance and espionage, and criminal activity against financial sector targets. We applaud the US government for bringing forward indictments for many of the attributed attacks, including intrusions and theft of Intellectual property from US think tanks and universities, the DDoS attacks against the financial sector, and the critical infrastructure attack of the Bowman Avenue dam."

In the second operation, an FBI-led takedown has disrupted a massive, multiyear scam that saw cyber-criminals use botnets to manipulate internet traffic from 1.7 million IP addresses and generate nearly US$ 30 million in fraudulent ad revenue.

The advertising fraud ring, dubbed "3ve" in an advisory published by US-CERT, built two different botnets by spreading Kovter and Boaxxe malware to individuals through spam emails and drive-by downloads.

The takedown entailed the FBI searching 89 servers and sinkholing 31 domains to disrupt the botnets, as well as seizing bank accounts connected with the group, resulting in multiple charges against eight individuals.

Sean Sullivan. security advisor, F-Secure, which supported the takedown operation by providing threat intelligence on parts of 3ve’s malware campaigns and botnets, told SC Media UK: "There were two types of ad fraud committed using multiple botnets - but the overall operation was known as 3ve (pronounce EVE). The first involved using servers in Texas to spoof popular websites and getting bids on those sites and IPS from compromised machines. The other scam compromised PCs that people used, and driving them to the site (with the advert) to fake their traffic. So they were both buying and selling, driving traffic."

Sullivan explained that F-Secure had been detecting the malware and was aware of the botnets and how they spread, usually via different variants dropped as spam. Through contacts in law enforcement, the FBI reached out to them and it was able to look at its customers in the wild to use its unique telemetry and get confirmation about the nature of the malware.

In an email to SC Media UK Paivi Tynninen, F-Secure researcher commented: "3ve blasts out failed delivery notification spam, which is a common attack vector these days. Users open an attachment or click a link and end up infected with Kovter, Boaxxe or even both." She adds:"3ve also uses malvertising that redirects users to fake software updates and tricks victims into installing Kovter, which is a fairly popular social engineering tactic."

3ve used the Boaxxe botnet as a proxy for fraudulent ad requests sent from their own data centre in Germany. The Kovter botnet was a network of infected PCs that ran a hidden browser from users, which 3ve used to discreetly direct traffic toward their ads.

A 2016 report from the World Federation of Advertisers projected that ad fraud revenues could balloon to anywhere between US$ 50 to US$ 150 billion dollars per year by 2025.***

Sullivan noted that while the takedown successfully disrupted 3ve’s operations, the persistent nature of today’s botnets makes it difficult to say for certain whether or not 3ve is gone for good.

"Most modern botnets have pretty sophisticated backends that are extremely resistant to takedown attempts. Infected PCs can be used to begin rebuilding, so it’s really important that individuals check their PCs and remove the malware if they discover an infection," said Sullivan.

He added even five or six years ago you could take down a server and decapitate a botnet. "Now there are nodes and super nodes - there were 89 servers. It’s a lot more involved and took months of coordination, multiple schemes involved, resulting in eight criminal indictments, and three arrests around the world. After taking out the command and control nodes, Google reports that traffic dropped to near nothing."

The ShadowServer foundation sinkholed the botnets to take their traffic and show the IPs used by the botnets and then redirect them to get removal tools.

Such takedowns are becoming less frequent, as botnets have evolved and take months to take-down or event impact, and Windows 10 is harder to compromise, so as older machines get replaced, Sullivan says: "We are in a better place and desktop based botnets are becoming more rare as systems are better - but - we will see other botnets evolve (such as) an IOT botnet, just routing the traffic to disguise its source. But ultimately I we think we are going to win."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews