Submitted by Bananaramas t3_10ltvbx in news
Comments
JohnGillnitz t1_j5zdus8 wrote
Once malware gets onto a system it typically tries to contact a Command & Control (C&C) server for the attacker to really get in there and mess with things. The C&C server is usually hard coded into the malware, so if you take that down all the infected hosts that try to connect to it will remain inert. Much of this takes place over Tor traffic, so one of the best things a Network Admin can do is block all Tor traffic. For some reason that isn't a default.
HamOfWisdom t1_j5zhk70 wrote
I remember reading a story about how a hacker who made a banking virus later ended up solving a massive ransomware attack by simply obtaining the domain and routing it back to oblivion, essentially.
Probably skimming over a lot but it was a pretty interesting story. I think the channel Disrupttv (or maybe just disrupt) was who posted it. Fun watch, I'll find a link once I'm not at work!
arnielsAdumbration t1_j5znkdw wrote
WE-NEED-MORE-CATS t1_j5zy0t4 wrote
Holy shit this article was an AMAZING read
[deleted] t1_j61kq08 wrote
[removed]
ferrusmannusbannus t1_j63tnbn wrote
Damn, glad this kid didn’t get completely screwed. I remember those early hackforums days and people used to do wiiiiiiild shit on there.
Noocawe t1_j63yoso wrote
That's a great read, I had never even heard of this guy before. Thanks for sharing.
E_D_D_R_W t1_j5zxxv3 wrote
If the other commentor is correct and you're thinking about WannaCry, that's kind of the gist of it. The malware was hard-coded to only do its thing if it couldn't connect to a particular (previously unregistered) DNS domain. Thus registering that domain "triggered" the kill-switch and stopped any future infections of that version of WannaCry. Per wikipedia, later versions didn't have that vulnerability.
L00pback t1_j606gpu wrote
Oh god I hated wannacry. Self-replicating shit was a pain in the ass because lab owners don’t patch shit.
[deleted] t1_j62xm46 wrote
[removed]
pegothejerk t1_j5zib92 wrote
Those websites are rarely run on the servers the malware points to, you'd have to be too stupid to write malware to point the drones to the same servers your public face was presented on for exactly this reason. It's the first thing feds can legally and technically take down.
JohnGillnitz t1_j5zjy46 wrote
I would guess that is what they actually mean when they say web site. It's pretty easy to find what IP address or domain they are going to from an infected host. They just don't go into that much detail in the article. One would hope. If it is just a web site, you are right. Taking it down wouldn't stop the malware and more of a badge of honor for the attacker.
[deleted] t1_j601132 wrote
[deleted]
dakotahawkins t1_j61jzaq wrote
AFAIK network admins are probably MITM-ing https traffic. I’ve looked into doing it at my house because you’d have to in order to set up a network-wide adblocker, but businesses do it because reasons. If they can’t MITM tor or similar, they could still use their MITM system to block unrecognized encrypted traffic, probably.
justmy2loonies t1_j62ablr wrote
You don’t have to mitm to Adblock. DNS filtering isn’t exactly mitm
dakotahawkins t1_j65eub5 wrote
Sorry for the delayed response.
Sure, but it's nowhere near as thorough. Some ads are served by domains you probably wouldn't want to blacklist, and otherwise you may want to block specific page elements like your in-browser adblocker does (or should).
If you MITM your own traffic you can do that kind of matching to block individual requests. Does that make sense? I had a raspberry pi running pihole for quite a while and when something broke with it I just gave up on it as I didn't feel it was buying me that much.
wasdninja t1_j6021k7 wrote
> For some reason that isn't a default.
Tor exists for the sole reason of not being easy to block. That might just be a reason.
L00pback t1_j6064kf wrote
Everyone worries about ingress traffic rules and never egress. A good network admin controls both for just this reason.
JohnGillnitz t1_j60dkod wrote
Yup. One of my clients got hit a couple of years ago. Nasty. We had all the security boxes checked at the time, but it got in anyway. Encrypted everything, which was the bad news. The good news is that we could check the router logs and confirm that none of the data had been exfiltrated. All attempts were blocked because Tor was blocked.
That sucked, but we were able to recover everything from offline backups. Even the delta from them was recovered when a decryption tool became available a couple of months later. We didn't have to go out and get a credit monitoring service for the entire customer base, which would have bankrupted the place.
Stinkyclamjuice15 t1_j61z4rp wrote
Thank you for having a huge pair and working infosec, that shit seems really stressful king
Xivvx t1_j602sye wrote
If it isn't normal, it should be. I know everything is going all zero trust and all that, but the perimeter is still important.
xCryptoPandax t1_j62m2ik wrote
That’s highly inaccurate, idk why that’s gotten so many upvotes.
Most malware use sketchy top level domains ex.) .xyz .makeup .me, etc not to mention most ransomware gangs compromise legitimate sites and host malware on them in order to bypass new domain creation and add that level of legitimacy.
One indicator for a ransomware gang which I think is actually this one was official government sites of Texas after they themselves were victim of ransomware.
Source: I work Incident Response
JohnGillnitz t1_j62vyqs wrote
I'm not sure how what I said was any different from what you said. No matter if they use an IP address or domain, those C&C servers are still set at the time of deployment. One of the first things they do is phone home (or homes) and get an updated list of C&C servers. That still leaves them dependent on reaching a limited number of sites that can be shut down effectively killing the that variant of the malware.
Do you live in Corpus and drive a Tesla? We may have met.
Edit: The CISA notice with the deets: https://www.cisa.gov/uscert/ncas/alerts/aa22-321a
[deleted] t1_j63upmy wrote
[removed]
[deleted] t1_j5zhmf3 wrote
[removed]
[deleted] t1_j5zhn2b wrote
[removed]
[deleted] t1_j61kayn wrote
[removed]
[deleted] t1_j6aoddm wrote
[removed]
itsthebeans t1_j5zynqv wrote
Do you really think the FBI is so clueless as to try to stop a ransomware gang by simply shutting down a web domain? Or do you think there might be more to the story than the headline suggests?
Click the link and read even the first sentence if you really want to know.
Supanini t1_j608j3p wrote
He’s got top comment, his jobs done here
OuidOuigi t1_j60ayou wrote
/r/topmindsofreddit material.
wizardbase t1_j60o7i2 wrote
>Wray said the FBI would continue to track the people behind Hive ransomware and try to arrest them. It was not immediately clear where those people were located. The Department of Health and Human Services has descried Hive as a “possibly Russian speaking” group.
Should read the last sentence too, they didn't catch shit
DuckDuckJeeper t1_j68yalc wrote
Exactly. You don’t “shut it down” until you’ve deployed your real assets……
Arithik t1_j5zk1tq wrote
Name? Rusty Shackleford.
JuiceColdman t1_j5zkgmw wrote
Pocket SAND
PGDW t1_j606c0j wrote
If it were just their popup webpage, okay. But it's not.
Typically when they seize a domain or ip or server, they are stopping the malware from functioning properly as most these days phone home, and in this case can hopefully provide some decryption keys back to some victims.
Manny-Both-Hanz t1_j5zi5qr wrote
Kriegmannn t1_j5zwgrh wrote
I dont get it
E_D_D_R_W t1_j5zyxxl wrote
The joke is that the servers with the CIA's public-facing webpage are almost certainly completely separate from their servers with the intel they collect or any other relevant info, i.e. gaining control of the former would get you no closer to the latter.
[deleted] t1_j606ha8 wrote
[removed]
zakabog t1_j60bb2j wrote
Imagine someone got the password to your Facebook account. They have no access to your PC whatsoever. They didn't hack into your computer and they have no access to your files or banking information, they just have access to post things on your Facebook. Same thing here, the CIA public facing website is not on the CIA network, it's an external service.
[deleted] t1_j5zkf7o wrote
[deleted]
tronpalmer t1_j60m6tp wrote
That's really not true. Especially for ransomware or botnets.
[deleted] t1_j5zbbpc wrote
[removed]
[deleted] t1_j5zexel wrote
[removed]
[deleted] t1_j5zh941 wrote
[removed]
[deleted] t1_j60mhmd wrote
[removed]
TzarKazm t1_j5zg5e8 wrote
But they would have to come up with an entirely new unique email name in order to be able to create a new website! Unless they use another hosting site.
DaveDeaborn1967 t1_j5z3ec8 wrote
I just watched the atty gen do a presentation on this. Great work. In the 19th century, the cavalry came to the rescue, now we have computer systems. Notice that the ransomware attacks involved hundreds of millions of dollars.
Ffffqqq t1_j5z9xw8 wrote
What does taking down a website actually accomplish?
AdventurousSquash t1_j5zbk7o wrote
Depends on what they actually did here and the details in the article are vague. Simply put; If they seized the domain name I’d consider it a minor inconvenience. If they seized the actual server hosting the website they could find artifacts on it that lead them to the perpetrator(s).
patrick66 t1_j5zrtx0 wrote
The court order lays out more of the details and basically the people running Hive were morons and had networking, c2, and database servers hosted in Los Angeles and the Netherlands where the fbi and other western law enforcement agencies could actually get physical access to clone the server data and then take control of them so I suspect this will actually break the hive network fairly considerably.
TLDR: if you do cybercrime don’t host your servers in the United States lol
DaveDeaborn1967 t1_j6013f5 wrote
What the DOJ wants to do is deny the bad guys resources and their platform for giving orders to their troops. Notice that the DOJ has the ability to unlock systems that have been locked by attackers. This denies the ransom demands.
aDrunkWithAgun t1_j5zef2l wrote
Depends on if they can link the site to an owner or them, if not nothing is stopping them from making a new one.
From what I'm tracking ransomware is done outside the USA so if it's a country that Doesn't give a fuck like Russia or NK nothing will happen
[deleted] t1_j5zz150 wrote
[removed]
[deleted] t1_j5zz7eh wrote
[removed]
[deleted] t1_j60merr wrote
[removed]
Klezmer_Mesmerizer t1_j5z687y wrote
Seized the website, but alas, didn't get any of the people. Still, very glad to see that something is being done to combat ransomware.
frodosdream t1_j5z75bq wrote
>Seized the website, but alas, didn't get any of the people.
Suddenly my imagination conjured up a ransomware operation run entirely by a rogue AI, with no humans involved. Maybe it needs funding for projects of its own, or perhaps a bitter AI specialist let a score of them loose on the world as a parting gift before death and this was only the first one detected. A premise for a film perhaps...
Mighty_Mackerel t1_j5z8kcj wrote
Wake up Frodo, you've been dreaming again.
frodosdream t1_j5z8ruo wrote
Sadly the closer we get to Mordor, the darker my dreams.
E_D_D_R_W t1_j600z0q wrote
Perhaps it would be like the Paperclip Problem except the AI's instruction is just "make as much money as possible".
[deleted] t1_j5zcfvy wrote
[removed]
[deleted] t1_j5z95xk wrote
[removed]
Hyrum_Abiff t1_j5zzdet wrote
For some reason Russia doesn’t want to cooperate and arrest people bringing in hundreds of millions of dollars. The FBI has been great at helping Russia identify criminals that Russia can then squeeze for protection money…
[deleted] t1_j60bwb9 wrote
[removed]
kingtz t1_j5zaa7k wrote
I didn’t get any information about this in the article so here goes: what does it mean for the FBI to “seize” the website? It’s not like they were about to physically get a hold of any servers or hard drives, so what’s stopping Hive from just creating a new website?
OldSweatyGiraffe t1_j5zjdzb wrote
>FBI officials since July have had extraordinary access to the so-called Hive ransomware group’s computer networks, FBI Director Christopher Wray said at a news conference, allowing the bureau to pass computer “keys” to victims so that they could decrypt their systems and thwart $130 million in ransom payments.
They had access to more than just the website, the website is just the visual part so that is what is being reported, or so it seems.
[deleted] t1_j60lwy0 wrote
[removed]
2_Spicy_2_Impeach t1_j5zikkl wrote
Nothing. Modern ransomware has multiple methods to self-heal after a command and control server goes offline.
It’s been a bit since I’ve delved super deep in to it but at one time most modern malware has a whole list of domains to use. There is an obfuscated/encrypted algorithm in the malware that will try a list of domains based on a set of criteria. It can be reversed though. There are other methods as well(DNS, proxies, etc.) but previous was popular at one time.
Details are vague here so it could be a static C&C but it’s probably not. Rival ransomware gangs will also attack infrastructure in an effort to push them out or render their attacks pointless. So they attempt to make their infrastructure resilient from both seizure and attack.
Anxious-Researcher44 t1_j5zrmvy wrote
I thought what I'd do was, I'd pretend I was one of those deaf-mutes.I thought what I'd do was, I'd pretend I was one of those deaf-mutes.I thought what I'd do was, I'd pretend I was one of those deaf-mutes.I thought what I'd do was, I'd pretend I was one of those deaf-mutes.I thought what I'd do was, I'd pretend I was one of those deaf-mutes.I thought what I'd do was, I'd pretend I was one of those deaf-mutes.I thought what I'd do was, I'd pretend I was one of those deaf-mutes.I thought what I'd do was, I'd pretend I was one of those deaf-mutes.I thought what I'd do was, I'd pretend I was one of those deaf-mutes.I thought what I'd do was, I'd pretend I was one of those deaf-mutes.
BellyScratchFTW t1_j5zddv6 wrote
Finally some news that everyone can agree is a step in the right direction! Now let's get the actual people involved too.
[deleted] t1_j61l4vt wrote
[deleted]
[deleted] t1_j5z6g6k wrote
[deleted]
[deleted] t1_j5zcaw4 wrote
[deleted]
[deleted] t1_j5ze73x wrote
[removed]
[deleted] t1_j5zqg3x wrote
[removed]
[deleted] t1_j605v1l wrote
[removed]
[deleted] t1_j609ueb wrote
[removed]
[deleted] t1_j60dawf wrote
[removed]
THIRSTYGNOMES t1_j60rit3 wrote
Excited for the future Darkness Diaries episode
[deleted] t1_j617di8 wrote
[removed]
TwoFrontHitters t1_j61cf30 wrote
For those who've been hit with ransomware, we have some dark ideas about what we'd like to see happen to the perps.
[deleted] t1_j625991 wrote
[removed]
[deleted] t1_j62iixw wrote
[deleted]
[deleted] t1_j64mhbe wrote
[removed]
[deleted] t1_j6kl2oy wrote
[removed]
Minezenroll t1_j62habt wrote
It is similar to seizing the business cards of a criminal when a website is taken down.
Boopy7 t1_j60gwon wrote
I've been following stuff like this more than ever, tech-fascism is truly terrifying. Entire countries have been taken over and attacked with so few seeming to care. I can't read about it too late at night bc when you know how tenuous our security is, how dependent everything is on technology...well I can't fall asleep. I mean this is pretty much how we have been at war with Russia and their allies, how our own gov't no longer is faithful to America. Talk about insecure borders, forget it -- there are none with technology.
oceanicfeels t1_j630fmp wrote
Try reading about the human body.
Life is delicately precarious, my friend. Everything is interconnected in a vast web of causative links.
Boopy7 t1_j64lmkt wrote
somehow I'm not as scared about the human body, and yeah I do love reading about it. Even its weird mistakes I find fascinating although it's true it could be terrifying if you let it get to you. No -- the human body is not malevolent towards its owner. It just exists and functions until it doesn't, but there is no true ill intent or planning in it.
[deleted] t1_j60uw0o wrote
[deleted]
xeq937 t1_j5ziiqh wrote
Okay but ransomware/malware generally has a list of servers, and will simply move on to the next server.
geebob2020 t1_j5zelfu wrote
Seized? Or is this like letting a Trojan Horse into the Federal government’s server farm.
TurnkeyLurker t1_j60z693 wrote
Domain seizure? Or physical server seizure (hence, the horse)?
stonkcell t1_j5zbji2 wrote
That'll stop them, for sure. For all we know, it could be NSA-CIA agents running the gang.
JohnPlayerSpecia1 t1_j5zar0h wrote
website seizure is like confiscating business cards of a criminal.