Microsoft and Vitalwerks Internet Solutions, the parent firm of Dynamic DNS provider No-IP, have reached a settlement in the recent malware disruption case, the companies announced on Wednesday.
Microsoft’s decision to drop the case comes after reviewing evidence provided by No-IP that demonstrated the company was not knowingly involved in the malware operations, and that the cybercriminals responsible for distributing Bladabindi (njRAT) and Jenxcus (NJw0rm) were actually abusing its services.
“Microsoft identified malware that had escaped Vitalwerks’ detection. Upon notification and review of the evidence, Vitalwerks took immediate corrective action allowing Microsoft to identify victims of this malware. The parties have agreed to permanently disable Vitalwerks subdomains used to control the malware,” Microsoft and No-IP said in a joint statement.
The Redmond, Washington-based company started its crackdown on the Bladabindi and Jenxcus botnets on June 19, when it filed a civil lawsuit against two individuals suspected of creating and distributing malware, and against No-IP, which it accused of failing to take appropriate action to prevent cybercriminals from abusing its services. On June 26, Microsoft was allowed by a Nevada court to seize 23 No-IP domains involved in the distribution of malware.
Some steps were taken to make sure No-IP’s legitimate customers would not be affected by the operation, but millions of users suffered service disruptions due to what the company called a “technical error.”
“In the process of redirecting traffic to its servers for malware detection, Microsoft acknowledges that a number of Vitalwerks customers were impacted by service outages as a result of a technical error. Microsoft regrets any inconvenience these customers may have experienced,” Microsoft said on Wednesday.
No-IP insists that none of this would have happened if Microsoft had reached out to them before taking action.
“By filing an ex parte temporary restraining order (TRO), No-IP was prevented from having any knowledge of the case or offering any support in stopping malicious activity. Had Microsoft submitted evidence of abuse at any time, No-IP would have taken swift action to validate the claims and ban any accounts that were proven to be malicious. Instead, Microsoft wasted many months while malicious activity continued,” No-IP Marketing Manager Natalie Goguen wrote in a blog post published on Thursday.
“To state this as emphatically as possible — this entire situation could have been avoided if only Microsoft had followed industry standards. A quick email or call to the No-IP abuse team would have removed the abusive hostnames from the No-IP network,” Goguen added. “Microsoft cited 22,000 hostnames that were abusive. Out of those 22,000 seized hostnames, the No-IP abuse department found only a fraction of the hostnames to still be active, which means that many had already been banned through our existing abuse procedures.”
Microsoft announced that it had seized the 23 domains on June 30, and returned most of them to No-IP on July 2, after being contacted by the company and its attorneys. While the DNS services provider says it’s pleased with the terms of the settlement, it’s still outraged by the tactics used by Microsoft in this case.
“We hope that Microsoft learned a lesson from this debacle and that in the future they will not seize other companies domains and will use appropriate channels to report abuse,” Goguen concluded.
While No-IP has every right to be upset with the disruption to its operations, the effects of the shutdown did negatively affect some cybercriminal operators.
Shortly after the domains were seized, Kaspersky Lab revealed that in addition to the Bladabindi and Jenxcus malware families, Microsoft’s operation also impacted several advanced persistent threat (APT) campaigns that use No-IP for their command and control (C&C) infrastructure. The list of affected APTs includes Flame, Cycldek, Uroburos (Snake), Banechant, Ladyoffice, Shiqiang, and customers of HackingTeam RCS.
“In the future, we can assume these groups will be more careful on using Dynamic DNS providers and rely more often on hacked websites and direct IP addresses to manage their C&C infrastructure,” Raiu added.
Kaspersky Lab also confirmed that not just cybercriminals were affected by the operation.
The terms of the settlement were not disclosed.
*Additional reporting by Mike Lennon
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Industrial Giant ABB Confirms Ransomware Attack, Data Theft
- Zyxel Firewalls Hacked by Mirai Botnet
- New Russia-Linked CosmicEnergy ICS Malware Could Disrupt Electric Grids
- Drop in Insider Breaches Drives Decline in Intrusions at OT Organizations
- Zero-Day Vulnerability Exploited to Hack Barracuda Email Security Gateway Appliances
- OAuth Vulnerabilities in Widely Used Expo Framework Allowed Account Takeovers
- New Honeywell OT Cybersecurity Solution Helps Identify Vulnerabilities, Threats
- Rheinmetall Says Military Business Not Impacted by Ransomware Attack
Latest News
- Industrial Giant ABB Confirms Ransomware Attack, Data Theft
- Organizations Worldwide Targeted in Rapidly Evolving Buhti Ransomware Operation
- Google Cloud Users Can Now Automate TLS Certificate Lifecycle
- Zyxel Firewalls Hacked by Mirai Botnet
- Watch Now: Threat Detection and Incident Response Virtual Summit
- NCC Group Releases Open Source Tools for Developers, Pentesters
- Memcyco Raises $10 Million in Seed Funding to Prevent Website Impersonation
- New Russia-Linked CosmicEnergy ICS Malware Could Disrupt Electric Grids
