Dutch cybercops tracked a crypto theft to one of the world’s worst botnets
Www.oeisdigitalinvestigator.com:
After years of hacking servers to swindle millions of dollars, the notorious Ebury malware gang had slipped into the shadows by 2021. Suddenly, they reemerged with a bang.
The new evidence surfaced during a police investigation in the Netherlands. A cryptocurrency theft had been reported to the Dutch National High Tech Crime Unit (NHTCU). On the victim’s server, the cybercops found a familiar foe: Ebury.
The discovery revealed a new target for the botnet. Ebury had diversified to stealing Bitcoin wallets and credit card details.
The NHTCU sought assistance from ESET, a Slovakian cybersecurity firm. The request reopened a case that Marc-Etienne Léveillé has investigated for over a decade.
The <3 of EU tech
The latest rumblings from the EU tech scene, a story from our wise ol’ founder Boris, and some questionable AI art. It’s free, every week, in your inbox. Sign up now!
Back in 2014, the ESET researcher had co-authored a white paper on the botnet operations. He called Ebury the “most sophisticated Linux backdoor ever seen” by his team.
Cybercriminals use Ebury as a powerful backdoor and credential stealer. After entering a server, the botnet can also deploy further malware, redirect web visitors to fraudulent ads, and run proxy traffic to send spam. According to US officials, the operation fraudulently generated millions of dollars in revenue.
“It’s very well done and they’ve been able to stay under the radar for so many years,” Léveillé tells TNW.
A year after ESET’s original paper was published, an alleged Ebury operator was arrested in Finland. His name was Maxim Senakh. The Finnish authorities then extradited the Russian citizen to the US.
The 41-year-old eventually pleaded guilty to a reduced set of computer fraud charges. In 2017, he was sentenced to nearly four years in prison.
In a press release, the US Justice Department said Ebury had infected “tens of thousands” of servers across the world. Yet that was just a fraction of the total.
Www.oeisdigitalinvestigator.com: Hello ESET honeypot
While Senakh’s trial progressed, ESET’s researchers ran honeypots to track Ebury’s next moves. They discovered that the botnet was still expanding and receiving updates. But their detective work didn’t stay concealed for long.
“It was getting more and more difficult to make the honeypots undetectable,” Léveillé says. “They had a lot of techniques to see them.”
One honeypot reacted strangely when Ebury was installed. The botnet’s operators then abandoned the server. They also sent a message to their adversaries:”Hello ESET honeypot!”
As the case went cold, another one was developing in the Netherlands.
By late 2021, the NHTCU had created another lead for ESET. Working together, the cybercrime unit and cybersecurity firm investigated Ebury’s evolution.
“The botnet had grown,” Léveillé says. “There were new victims and even larger incidents.”
ESET now estimates that Ebury has compromised about 400,000 servers since 2009. In a single incident last year, 70,000 servers from one hosting provider were infected by the malware. As of late 2023, over 100,000 servers from one hosting provider were still compromised.
Some of these servers were used for credit card and cryptocurrency heists.
Www.oeisdigitalinvestigator.com: The botnet comes for Bitcoin
To steal cryptocurrency, Ebury deployedadversary-in-the-middle attacks (AitM), a sophisticated phishing technique used to access login credentials and session information.
By applying AitM, the botnet intercepted network traffic from interesting targets inside data centres. The traffic was then redirected to a server that captured the credentials.
The hackers also leveraged servers that Ebury had previously infected. When these servers are in same network segment as the new target, they provide a platform for spoofing.
Among the lucrative targets were Bitcoin and Ethereum nodes. Once the victim entered their password, Ebury automatically stole cryptocurrency wallets hosted on the server.
The AitM attacks provided a powerful new method of quickly monetising the botnet.
“Cryptocurrency theft was not something that we’d ever seen them do before,” Léveillé says.
Www.oeisdigitalinvestigator.com: The Dutch investigation continues
The variety of Ebury victims has also grown. They now span universities, small businesses, large enterprises, and cryptocurrency traders. They also include internet service providers, Tor exit nodes, shared hosting providers, and dedicated server providers.
To conceal their crimes, Ebury operators often use stolen identities to rent server infrastructure and conduct their attacks. These techniques have investigators in the wrong directions.
“They’re really good at blurring the attribution,” Léveillé says.
The NHTCU found further evidence of the obfuscation. In a new ESET white paper, the Dutch crimefighters highlighted several anonymisation techniques.
Ebury’s digital footprints often proved to be faked, the NTCU said. The tracks frequently led to (seemingly) innocent people.
Operators also used the monikers and credentials of known cybercriminals to shake investigators off the trail. On one seized backup server, the NHTCU found a full copy of an illicit website with logins harvested by other crooks.
“Hence the Ebury group does not only benefit from the theft of the already stolen login credentials, but is also in a position to use the credentials of the cybercriminals stealing them,” the Dutch police unit said.
“Consequently, they can create a ‘cybercriminal cover’ pointing in other directions than themselves.”
Despite these red herrings, the NHTCU says “several promising digital identities” are being actively pursued. Léveille, meanwhile, is taking another break from his 10-year investigation.
“It’s not closed, but I’m not sure about any individuals behind it,” he says. “That’s still an unknown — for me at least.”
Examine the forefront of digital research in our Latest News & Blog. Study expert analyses, technological advancements, and key industry insights that keep you informed and prepared in the ever-evolving world of digital forensics.
Popular cryptocurrency wallet MetaMask might soon add Bitcoin support, CoinDesk reports. An unnamed source cited by the outlet said access could be granted within the next month, while another mentioned that the functionality is not yet finalized. The features may be initially limited and then expanded over time.
RFK Jr. investing in GameStop is hilarious, exec says
A blockchain software company, Consensys created MetaMask to connect users to Ethereum’s blockchain ecosystem. The wallet supports Ethereum and Ethereum Virtual Machines (EVMs), such as Avalanche, Polygon, Optimism, and Arbitrum.
Currently, MetaMask does not directly facilitate Bitcoin acquisition. Users must make the transactions using Wrapped Bitcoin (WBTC). A Wrapped Bitcoin is a tokenized version of Bitcoin that operates on the Ethereum blockchain. It is pegged 1:1 to Bitcoin, so one Wrapped Bitcoin is always equal to one Bitcoin. It acts as a bridge between Bitcoin and Ethereum’s decentralized applications (dApps). If the CoinDesk report pans out, MetaMask users will soon be able to add Bitcoin directly.
This is not the first time MetaMask has expanded beyond the Ethereum ecosystem. In 2023, the company added a feature called Snaps. Snaps are JavaScript applications that enable cross-chain interoperability, allowing different blockchain networks to communicate and interact without intermediaries.
Eventus, a provider of multi-asset class trade surveillance and market risk solutions, announced today that cryptocurrency derivatives exchange Deribit has chosen the firm’s Validus platform to provide market abuse monitoring on the exchange.
Headquartered in Panama City, Panama, Deribit is one of the largest cryptocurrency options exchanges by volume and open interest, with approximately 90% market share in bitcoin (BTC) and ether (ETH) options. The exchange also offers select futures on cryptocurrencies.
David Dohmen, Deribit’s Chief Legal, Compliance & Regulatory Officer said the exchange considered several trade surveillance systems in anticipation of operating under the Virtual Assets Regulatory Authority in Dubai and as Deribit looked to expand into additional jurisdictions while maintaining the highest compliance standards.
He articulated: “Once I joined Deribit and our search for a surveillance vendor was underway, I was able to share that Eventus’ customer service is excellent. I’ve looked at and worked with a variety of trade surveillance systems, including Validus in two of my former roles since 2019. I was most impressed with the dedication and diligence of the Eventus team to continuously work with its clients to help improve how the system can meet our needs and resolve any issues we encounter along the way. They care about getting things done; it’s not just about the numbers.”
Additional factors in Deribit’s selection of Eventus, Dohmen said, were the firm’s vast experience with crypto asset exchanges and competitive pricing, plus the point that Validus is intuitive and easy to use.
“We are delighted to help Deribit achieve heightened surveillance capabilities. As the exchange continues to grow and expand its business to new regulatory jurisdictions, our Validus platform provides the scalable, agile solution the compliance team will need as its volumes increase and regulatory requirements become more complex.” – Eventus CEO, Travis Schwab
Anglers around the country could well recall the highly publicized dishonest scandal in October 2022, fascinating two men who were stumbled on to be pleased stuffed weights into their fish all thru a Lake Erie walleye tournament.
What anglers acquired’t know is that, for the superb imprint, they could hang the head-line bass boat, motors and trailer extinct by the cheaters and later confiscated by Ohio authorities.
(Jacob Runyan and Steven Gall furthermore bought 10-day jail sentences.)
Per Authorities Deals, a public viewing and demonstration of the boat, valued at $100,000, could be held Saturday (July 13) on the Dempsey Fishing Accumulate admission to Space in Lakeside Marblehead, Ohio.
The 2022 Ranger 622 FS Pro Bass Boat is at display veil within the possession of the Ohio Division of Pure Sources.
Bids are being licensed online thru July 23 and the most life like likely uncover, as of July 11, used to be $82,000.