Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Microsoft Drops Cybercrime Case Against No-IP

Microsoft and Vitalwerks Internet Solutions, the parent firm of Dynamic DNS provider No-IP, have reached a settlement in the recent malware disruption

Microsoft and Vitalwerks Internet Solutions, the parent firm of Dynamic DNS provider No-IP, have reached a settlement in the recent malware disruption case, the companies announced on Wednesday.

Microsoft’s decision to drop the case comes after reviewing evidence provided by No-IP that demonstrated the company was not knowingly involved in the malware operations, and that the cybercriminals responsible for distributing Bladabindi (njRAT) and Jenxcus (NJw0rm) were actually abusing its services.

“Microsoft identified malware that had escaped Vitalwerks’ detection. Upon notification and review of the evidence, Vitalwerks took immediate corrective action allowing Microsoft to identify victims of this malware. The parties have agreed to permanently disable Vitalwerks subdomains used to control the malware,” Microsoft and No-IP said in a joint statement.

The Redmond, Washington-based company started its crackdown on the Bladabindi and Jenxcus botnets on June 19, when it filed a civil lawsuit against two individuals suspected of creating and distributing malware, and against No-IP, which it accused of failing to take appropriate action to prevent cybercriminals from abusing its services. On June 26, Microsoft was allowed by a Nevada court to seize 23 No-IP domains involved in the distribution of malware.

Some steps were taken to make sure No-IP’s legitimate customers would not be affected by the operation, but millions of users suffered service disruptions due to what the company called a “technical error.”

“In the process of redirecting traffic to its servers for malware detection, Microsoft acknowledges that a number of Vitalwerks customers were impacted by service outages as a result of a technical error. Microsoft regrets any inconvenience these customers may have experienced,” Microsoft said on Wednesday.

No-IP insists that none of this would have happened if Microsoft had reached out to them before taking action.

“By filing an ex parte temporary restraining order (TRO), No-IP was prevented from having any knowledge of the case or offering any support in stopping malicious activity. Had Microsoft submitted evidence of abuse at any time, No-IP would have taken swift action to validate the claims and ban any accounts that were proven to be malicious. Instead, Microsoft wasted many months while malicious activity continued,” No-IP Marketing Manager Natalie Goguen wrote in a blog post published on Thursday.

Advertisement. Scroll to continue reading.

“To state this as emphatically as possible — this entire situation could have been avoided if only Microsoft had followed industry standards. A quick email or call to the No-IP abuse team would have removed the abusive hostnames from the No-IP network,” Goguen added. “Microsoft cited 22,000 hostnames that were abusive. Out of those 22,000 seized hostnames, the No-IP abuse department found only a fraction of the hostnames to still be active, which means that many had already been banned through our existing abuse procedures.”

Microsoft announced that it had seized the 23 domains on June 30, and returned most of them to No-IP on July 2, after being contacted by the company and its attorneys. While the DNS services provider says it’s pleased with the terms of the settlement, it’s still outraged by the tactics used by Microsoft in this case.

“We hope that Microsoft learned a lesson from this debacle and that in the future they will not seize other companies domains and will use appropriate channels to report abuse,” Goguen concluded.

While No-IP has every right to be upset with the disruption to its operations, the effects of the shutdown did negatively affect some cybercriminal operators.

Shortly after the domains were seized, Kaspersky Lab revealed that in addition to the Bladabindi and Jenxcus malware families, Microsoft’s operation also impacted several advanced persistent threat (APT) campaigns that use No-IP for their command and control (C&C) infrastructure. The list of affected APTs includes Flame, Cycldek, Uroburos (Snake), Banechant, Ladyoffice, Shiqiang, and customers of HackingTeam RCS.

“In the future, we can assume these groups will be more careful on using Dynamic DNS providers and rely more often on hacked websites and direct IP addresses to manage their C&C infrastructure,” Raiu added.

Kaspersky Lab also confirmed that not just cybercriminals were affected by the operation.

The terms of the settlement were not disclosed.

*Additional reporting by Mike Lennon

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.