NATO Bunker

In the fall of 2019, German police raided a cold war-era nuclear bunker that was being used by CyberBunker, an organization selling “bullet-proof” hosting services for various criminal activities. It turns out that victims continue to reach out to IP address space used by threat actor CyberBunker months after the organization was taken down in a raid, says cybersecurity research college SANS Technology Institute.

In April 2020, The SANS Technology Institute’s (SANS.edu) Internet Storm Center was able to obtain access to the IP address space used by CyberBunker, and over the course of two weeks, collected and analyzed traffic destined for addresses used by CyberBunker. As part of his work for a master’s degree in Information Security Engineering with SANS.edu, student Karim Lalji analyzed the traffic and today publishes a new paper.

Karim Lalji
“Seeing so many compromised hosts continuing to call home several months after the seizure by law enforcement was a real eye opener,” said Karim Lalji, SANS.edu student and paper author.

Through his analysis, Karim Lalji identified several botnets and thousands of hosts infected with malware that continue to reach out to the now-defunct command and control servers that formerly were hosted by CyberBunker. In some cases, it was possible to identify encrypted command and control channels and link them to specific malware families.

“Thanks to the great collaboration that made access to the IP address space possible, and Karim’s analysis of the large amounts of data, we gained insight into how a criminal network service provider operates and the breath of services offered by them,” said Dr. Johannes Ullrich, SANS fellow and Dean of Research at the SANS Technology Institute. “Criminal enterprises today have their own supply chain with network providers like CyberBunker providing critical hosting services that are difficult to terminate.”

Phishing Sites

The analysis additionally uncovered phishing sites still receiving traffic that attempted to impersonate the Royal Bank of Canada, Apple, and PayPal, among others. An ad network that was potentially used to place malicious ads on websites was found to continue to reach out to the CyberBunker address space to load ads.

“Working on this project was a great experience, as it provided insight into a real-life hostile network,” said Karim Lalji, SANS.edu student and paper author. “Seeing so many compromised hosts continuing to call home several months after the seizure by law enforcement was a real eye opener, and hopefully the findings will help the information security community as a whole.”

The CyberBunker address space covered about 2,300 IP addresses and received about 2 Mbit/sec inbound traffic. Cyberbunker was also known as ‘Zyztm’ and ‘Calibour’, and the individuals responsible are currently awaiting trial in Germany.

To read the paper by Karim Lalji, visit: Real-Time Honeypot Forensic Investigation on a German Organized Crime Network.

Read more Cybersecurity news on HostingJournalist.com.