The takedown of CyberBunker by German police last September was a blow to cyber criminals utilizing the organization's Dark Web bullet-proof web hosting services. During the raid, 200 servers along with 2 petabytes of data, cellphones and large quantities of cash allegedly used to host malicious websites, including phishing sites and darknet markets offering drugs, weapons, stolen data, hacking tools and the like were seized.
While dismantling CyberBunker’s infrastructure shut down many illicit websites, further analysis by Karim Lalji, a SANS Institute masters candidate and TELUS Cyber Security team member, revealed that large volumes of malicious traffic continues to circulate.
The organization may be gone but the traffic remains
As part of his work towards a masters degree in Information Security Engineering with the SANS Institute, Karim was able to access and analyze traffic from former CyberBunker IP address space, which was temporarily rerouted to a SANS honeypot for the purposes of research from April 16 to 28, 2020.
While Karim’s studies aimed to better understand how a criminal network service provider like CyberBunker operates, his analysis of 37 hours of randomized data samples collected from the honeypot also revealed extensive continued automated cybercrime activity related to:
encrypted traffic associated with malicious malware,
phishing sites designed to impersonate Royal Bank of Canada, Apple, PayPal, Chase Bank and others,
malicious ad networks used to advertise illicit content, and,
potential Denial of Service attacks.
"While this isn't anything new, it does astonish me how much activity is still going on almost nine months after the hosting facility was raided by law enforcement. The servers were literally taken off the property and ripped apart by forensic analysts, yet there's still so much traffic."
- Karim Lalji
Karim’s research provides us with a more nuanced understanding of the persistent threat and longevity of “dismantled” cybercrime infrastructure. If you would like to learn more, Karim’s complete research paper is available at the SANS Institute Reading Room.
What does this mean for you?
Given these findings, Karim strongly suggests organizations be thorough when buying an IP address space. Before using newly purchased IP addresses, take some time to investigate who owned them in the past. How?
Perform an IP blacklist check
This can help reveal if the IP has been reported for malicious activity in the past. Given the automated nature of some cyber crime infrastructure, compromised hosts may continue trying to communicate with the IP despite it having a new owner.
Analyze the traffic
Use a packet sniffer to capture and analyse the traffic communicating with the IP address. Signs of suspicious traffic activity are a red flag that the IP may have once been used for malicious activity.
Not sure where to start? TELUS Cyber Security is here to help. Whether you're concerned about your newly acquired IP space or are looking to better understand your current security posture, our team can help identify and address vulnerabilities before they impact your business.
To learn more about keeping your customers, employees and data secure, visit telus.com/cybersecurity.