Thread: Joint Cyber Operation Takes Down Avalanche Criminal Network

December 5, 2016

Joint Cyber Operation Takes Down Avalanche Criminal Network

Servers Enabled Nefarious Activity Worldwide



It was a highly secure infrastructure of servers that allegedly offered cyber criminals an unfettered platform from which to conduct malware campaigns and “money mule” money laundering schemes, targeting victims in the U.S. and around the world.

But the Avalanche network, which was specifically designed to thwart detection by law enforcement, turned out to be not so impenetrable after all. And late last week, the FBI took part in a successful multi-national operation to dismantle Avalanche, alongside our law enforcement partners representing 40 countries and with the cooperation of private sector partners. The investigation involved arrests and searches in four countries, the seizing of servers, and the unprecedented effort to sinkhole more than 800,000 malicious domains associated with the network.

It’s estimated that Avalanche was responsible for as many as 500,000 malware-infected computers worldwide on a daily basis and dollar losses at least in the hundreds of millions as a result of that malware.

“Cyber criminals can victimize millions of users in a moment from anywhere in the world,” according to Scott Smith, assistant director of the FBI’s Cyber Division. “This takedown highlights the importance of collaborating with our international law enforcement partners against this evolution of organized crime in the virtual.”

The investigation into the highly sophisticated Avalanche network, initiated four years ago by German law enforcement authorities and prosecutors, uncovered numerous phishing and spam campaigns that resulted in malware being unwittingly downloaded onto thousands of computers internationally after their users opened bad links in e-mails or downloaded malicious attachments. Once the malware was installed, online banking passwords and other sensitive information were stolen from victims’ computers and redirected through the intricate network of Avalanche servers to back-end servers controlled by the cyber criminals, who wasted no time in using this information to help themselves to other people’s money.

One type of malware distributed by Avalanche was ransomware, which encrypted victims’ computer files until the victim paid a ransom to the criminal perpetrator. Other types of malware stole victims' sensitive banking credentials, which were used to initiate fraudulent wire transfers. And in terms of the money laundering schemes, highly organized networks of money mules purchased goods with the stolen funds, enabling the cyber criminals to launder the illicit proceeds of their malware attacks.

How did these cyber criminals hear about the Avalanche network in the first place? Access to the network was advertised through postings—similar to advertisements—on exclusive underground online criminal forums.

“Cyber criminals can victimize millions of users in a moment from anywhere in the world.”

Scott Smith, assistant director, FBI Cyber Division

Because most cyber schemes cross national borders, an international law enforcement response is absolutely critical to identifying not just the technical infrastructure that facilitate these crimes, but also the administrators who run the networks and the cyber criminals who use these networks to carry out their crimes.

The FBI—with its domestic and international partners—will continue to target the most egregious cyber criminals and syndicates. But U.S. businesses, other organizations, and the general public need to do their part by protecting their computers and networks from malware and other insidious cyber threats. Don’t click on links embedded inside e-mails.

Don’t open e-mail attachments without verifying who they’re from. Use strong passwords. Enable your pop-up blocker.

Only download software from sites you trust. And make sure your anti-virus software is up to date.

Each of us securing our own devices—coupled with a coordinated law enforcement effort to combat ongoing cyber threats—will go a long way toward protecting all of us in cyberspace.

https://www.fbi.gov/news/stories/joi...iminal-network

Resources:

• Department of Justice press release
  
• Europol press release
  
• U.S.-CERT remediation website
  
• Court documents/resources from Avalanche takedown

Check if you were hit by the massive 'Avalanche' cybercrime ring

Elizabeth Weise , USATODAY
7:30 p.m. EST December 2, 2016


(Photo: Philipp Schulze, AP)


SAN FRANCISCO — The U.S. government has posted links for free scanning programs so companies and individuals can check their computers to make sure they weren't victims of a massive, international cyber criminal operation that was taken down Thursday after a four-year investigation.

“This is probably the biggest operation that law enforcement has ever done against cyber crime,” said Catalin Cosoi, chief security strategist with BitDefender, one of the dozens of companies worldwide that worked with law enforcement to attack the group.

The U.S. Computer Emergency Readiness Team (US_CERT) has posted links to five scanners on its site. Europol has also posted a list of sites in multiple languages for potentially infected users. The malware only affects systems running the Microsoft Windows operating system, according to US-CERT.

The Department of Homeland Security’s National Cybersecurity and Communications Integration Center, which includes US-CERT, will be providing victim notification to stakeholders, including Internet Service Providers, DHS said in a statement.

Known as "Avalanche," the group had been active since 2009, according to the FBI and Europol, the European law enforcement agency. It was effectively a criminal company that sold and rented cloud-hosted software to other criminals who used it to take over systems, infect networks, launch ransomware or create enormous robot networks (botnets) to send spam.

USA TODAYKeeping zombie botnets out of your home network

Avalanche networks were also used to launch targeted attacks against banks and to recruit people to illegally transfer stolen money between countries, known as money mules.

"They sent more than one million e-mails with damaging attachments or links every week to unsuspecting victims," and involved as many as 500,000 infected computers worldwide on a daily basis, Europol said in a release.

“They would do whatever you wanted. You just had to call them, say ‘I need command and control service,’ or ‘I need to infect this type of people or this type of business,’ and they’d do it,” said Cosoi.

The investigation originally began in Germany in 2012 after prosecutors there detected a ransomware operation that blocked access to a substantial number of computer systems and allowed the criminals to do bank transfers from the victims' accounts.

USA TODAYRansomware attack hit San Francisco train system

As authorities became aware of the scope and reach of the criminal organization, the effort to shut it down ended up involving prosecutors and investigators in 30 countries.
Law enforcement takedown

On Wednesday, law enforcement launched a concerted action against the Avalanche group. It resulted in five arrests, the search of 37 premises and seizure of 39 servers. In addition, over 800,000 Internet domains, or addresses, were seized to block the criminals access to their customers.

Now that the operation has been taken down, the next crucial stage is for infected individuals and companies to check to make sure that their computers do not have Avalanche malware on them.

“Companies and consumers should take this opportunity to scan their systems for the different families of malware that the Avalanche botnet distributed,” said ESET senior security researcher, Stephen Cobb.

Multiple companies worldwide have written tools to run this scan.

As Europol said on its website, "computer users should note that this law enforcement action will NOT clean malware off any infected computers — it will merely deny the Avalanche users’ ability to communicate with infected victims’ computers. Avalanche victims’ computers will still be infected, but shielded from criminal control."

While the effort was hailed in the cyber security world as a major coup against cyber crime, the differential between how fast international cybercrime networks proliferate and how quickly international law enforcement can act is troubling.

“It does give some reason for concern that our anti-cybercrime efforts still can't match the speed and dexterity that cyber criminals use for their own efforts," said Nathan Wenzler, principal security architect at AsTech Consulting, a San Francisco-based security consulting company.

Unfortunately, while he believes that dismantling the Avalanche network will certainly show some short-term gains, he expects the cyber criminals will be "back up and running in short order.”

http://www.usatoday.com/story/tech/n...-fbi/94811966/

Solution

Users are advised to take the following actions to remediate malware infections associated with Avalanche:

• Use and maintain anti-virus software – Anti-virus software recognizes and protects your computer against most known viruses. Even though parts of Avalanche are designed to evade detection, security companies are continuously updating their software to counter these advanced threats. Therefore, it is important to keep your anti-virus software up-to-date. If you suspect you may be a victim of an Avalanche malware, update your anti-virus software definitions and run a full-system scan. (See Understanding Anti-Virus Software for more information.)
• Avoid clicking links in email – Attackers have become very skilled at making phishing emails look legitimate. Users should ensure the link is legitimate by typing the link into a new browser (see Avoiding Social Engineering and Phishing Attacks for more information).
• Change your passwords – Your original passwords may have been compromised during the infection, so you should change them. (See Choosing and Protecting Passwords for more information.)
• Keep your operating system and application software up-to-date – Install software patches so that attackers cannot take advantage of known problems or vulnerabilities. You should enable automatic updates of the operating system if this option is available. (See Understanding Patches for more information.)
• Use anti-malware tools – Using a legitimate program that identifies and removes malware can help eliminate an infection. Users can consider employing a remediation tool. A non-exhaustive list of examples is provided below. The U.S. Government does not endorse or support any particular product or vendor.

ESET Online Scanner
https://www.eset.com/us/online-scanner/(link is external)
F-Secure
https://www.f-secure.com/en/web/home...online-scanner(link is external)
McAfee Stinger
http://www.mcafee.com/us/downloads/f...ols/index.aspx(link is external)
Microsoft Safety Scanner
https://www.microsoft.com/security/s...s/default.aspx(link is external)
Norton Power Eraser
https://norton.com/npe(link is external)
Trend Micro HouseCall
http://housecall.trendmicro.com/