Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Microsoft Returns Domain Names Seized From No-IP

All of the 23 domain names recently seized by Microsoft from No-IP as part of an operation against the Bladabindi (njRAT) and Jenxcus (NJw0rm) botnets have been returned.

All of the 23 domain names recently seized by Microsoft from No-IP as part of an operation against the Bladabindi (njRAT) and Jenxcus (NJw0rm) botnets have been returned.

When it announced the operation, Microsoft said No-IP domains were used 93% of time for Bladabindi and Jenxcus infections, and accused the Dynamic Domain Name Service (DNS) provider of failing to take steps to prevent abuse.

Microsoft routed bad traffic to a sinkhole in an effort to classify the threats, and worked with A10 Networks to configure a system to manage the high volume of connections generated by the Bladabindi-Jenxcus botnets. Legitimate traffic should not have been impacted, but something went wrong and millions of legitimate users experienced service outage.

No-IP representatives said Microsoft’s actions were “heavy-handed” and lashed out at the company for not contacting them before seizing their domains.

“Vitalwerks and No­-IP have a very strict abuse policy. Our abuse team is constantly working to keep the No-­IP system domains free of spam and malicious activity. We use sophisticated filters and we scan our network daily for signs of malicious activity. Even with such precautions, our free dynamic DNS service does occasionally fall prey to cyber scammers, spammers, and malware distributors. But this heavy-handed action by Microsoft benefits no one. ” No-IP stated shortly after its domains were seized.

Microsoft representatives apologized for the incident and claimed that legitimate No-IP users experienced a temporary loss of service “due to a technical error.” The company said all services should have been restored on July 1 at 6AM Pacific time, but on Twitter, many No-IP customers reported downtimes long after that. During the debacle, a distributed denial-of-service (DDoS) attack was launched against No-IP, but the company insisted that the attack didn’t have anything to do with the prolonged outage since it was aimed at its website, not its DNS infrastructure.

On Thursday, No-IP informed customers that all of the seized domains were back in the company’s hands, but emphasized that it could take up to 24 hours for the DNS to fully propagate. The noip.me domain, which according to Conrad Longmore of Dynamoo’s Blog was specifically excluded from the civil lawsuit filed by Microsoft in Nevada against No-IP and two alleged malware creators, was recovered last.

“We are pleased at the progress we’ve made in our discussions with No-IP. They have regained control of their domains, and we are reviewing the malicious subdomains to identify the victims of the malware,” David Finn, executive director and associate general counsel at Microsoft’s Digital Crimes Unit, told SecurityWeek in an emailed statement.

Advertisement. Scroll to continue reading.

Kaspersky Lab revealed last week that in addition to the Bladabindi and Jenxcus malware families, Microsoft’s operation also impacted several advanced persistent threat (APT) campaigns that use No-IP for their command and control (C&C) infrastructure. The list of affected APTs includes Flame, Cycldek, Uroburos (Snake), Banechant, Ladyoffice, Shiqiang, and customers of HackingTeam RCS.

“Based on our statistics, the shutdown has affected in some form at least 25% of the APT groups we are tracking. Some of these hosts that were previously used in large and sophisticated cyberespionage operations are now pointing to what appears to be a Microsoft sinkhole, at 204.95.99.59,” Kaspersky’s Costin Raiu noted in a blog post.

“We think yesterday’s events have dealt a major blow to many cybercriminal and APT operations around the world. In the future, we can assume these groups will be more careful on using Dynamic DNS providers and rely more often on hacked websites and direct IP addresses to manage their C&C infrastructure,” Raiu added.

While Microsoft’s operation has been successful in disrupting malicious operations, Kaspersky also confirmed that not just cybercriminals were affected. The list of 20,000 targeted No-IP domains also includes two that have been previously sinkholed by the security firm.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.