'CyberBunker' Malicious Activity Continues Months After Police Raid, SANS Technology Institute's Internet Storm Center Research Finds

BETHESDA, Md., June 23, 2020 /PRNewswire/ -- SANS Technology Institute, a college known for its cutting-edge cybersecurity research, has been able to show that victims continue to reach out to IP address space used by threat actor "CyberBunker" months after the organization was taken down in a raid.

In the fall of 2019, German police raided a Cold War-era nuclear bunker that was being used by CyberBunker, an organization selling bullet-proof hosting services for various criminal activities. In April, 2020, The SANS Technology Institute's (SANS.edu) Internet Storm Center was able to obtain access to the IP address space used by CyberBunker, and over the course of two weeks, collected and analyzed traffic destined for addresses used by CyberBunker. As part of his work for a master's degree in Information Security Engineering with SANS.edu, student Karim Lalji analyzed the traffic and today publishes a new paper

Through his analysis, Karim Lalji identified several botnets and thousands of hosts infected with malware that continue to reach out to the now-defunct command and control servers that formerly were hosted by CyberBunker. In some cases, it was possible to identify encrypted command and control channels and link them to specific malware families.

"Thanks to the great collaboration that made access to the IP address space possible, and Karim's analysis of the large amounts of data, we gained insight into how a criminal network service provider operates and the breath of services offered by them," says Dr. Johannes Ullrich, SANS fellow and Dean of Research at the SANS Technology Institute. "Criminal enterprises today have their own supply chain with network providers like CyberBunker providing critical hosting services that are difficult to terminate."

The analysis additionally uncovered phishing sites still receiving traffic that attempted to impersonate the Royal Bank of Canada, Apple, and PayPal, among others. An ad network that was potentially used to place malicious ads on websites was found to continue to reach out to the CyberBunker address space to load ads.

"Working on this project was a great experience, as it provided insight into a real-life hostile network," says Karim Lalji, SANS.edu student and paper author. "Seeing so many compromised hosts continuing to call home several months after the seizure by law enforcement was a real eye opener, and hopefully the findings will help the information security community as a whole."

The CyberBunker address space covered about 2,300 IP addresses and received about 2 Mbit/sec inbound traffic. "Cyberbunker" was also known as "Zyztm" and "Calibour," and the individuals responsible are currently awaiting trial in Germany.

Additional Resources
Read the paper, "Real-Time Honeypot Forensic Investigation on a German Organized Crime Network," by Karim Lalji

Read the Internet Storm Center Diary post, "Cyberbunker 2.0: Analysis of the Remnants of a Bullet Proof Hosting Provider" by Karim Lalji

About the SANS Technology Institute
The SANS Technology Institute (SANS.edu) is a community of more than 1,000 graduate and undergraduate students who are gaining the cybersecurity skills and knowledge most needed by employers right now. For working professionals, the college offers a Master of Science in Information Security Engineering and job-specific graduate certificate programs in Cybersecurity Engineering, Cyber Defense Operations, Incident Response, Industrial Control Systems Security, and Penetration Testing & Ethical Hacking. Students in the master's degree program conduct cybersecurity research that contributes cutting-edge advancements to the field. The college's undergraduate certificate in Applied Cybersecurity provides foundational knowledge and skills for students who want to enter the field and career changers seeking to transition into cybersecurity roles. (https://www.sans.edu)

About SANS Institute
The SANS Institute was established in 1989 as a cooperative research and education organization. SANS is the most trusted and, by far, the largest provider of cyber security training and certification to professionals at governments and commercial institutions world-wide. Renowned SANS instructors teach over 60 different courses at more than 200 live cyber security training events as well as online. GIAC, an affiliate of the SANS Institute, validates a practitioner's qualifications via over 35 hands-on, technical certifications in cyber security. The SANS Technology Institute, a regionally accredited independent subsidiary, offers career-focused graduate and undergraduate programs in cyber security. SANS offers a myriad of free resources to the InfoSec community including consensus projects, research reports, and newsletters; it also operates the Internet's early warning system--the Internet Storm Center. At the heart of SANS are the many security practitioners, representing varied global organizations from corporations to universities, working together to help the entire information security community. (https://www.sans.org)


View original content:http://www.prnewswire.com/news-releases/cyberbunker-malicious-activity-continues-months-after-police-raid-sans-technology-institutes-internet-storm-center-research-finds-301081938.html

SOURCE SANS Technology Institute

Posted In: Press ReleasesPolls & ResearchSurveys