Bulletproof hoster: still traffic to the cyberbunker IPs

Around half a year after the bulletproof hoster is after a raid history and the servers have been confiscated, there are still a number of attempts to access the IP addresses used. Security researchers Karim Lalji and Johannes Ullrich from the US research institute Internet Storm Center (ISC) were able to do this analyze remaining traffic.

According to the security researchers, the IP address space of the cyber bunker was sold to the Dutch company Legaco in order to finance the legal costs of the alleged operators of the bulletproof hoster. The latter agreed to forward the IP address space (185.103.72.0/22, 185.35.136.0/22 ​​and 91.209.12.0/24) to a honeypot of the two researchers for two weeks starting on April 15. Lalji and Ullrich analyzed the attempts to access the approximately 2,300 IP addresses and were able to collect information about the remaining criminal activities, which they have now published.

Requests to botnets, phishing sites, and a shady ad network

The remaining access to the IP address space of the cyber bunker came mostly from Brazil, but also from Europe, Iran and Mexico. In total, a traffic of about 2 Mbit per second had arisen. Most of the access attempts were IRC requests (Internet Relay Chat) from a botnet, but they connected to HTTP port 80 for camouflage or to bypass firewall rules, the researchers explain.

In this way, almost 7,000 IP addresses with a similar request pattern would have turned to a potential command and control server of a botnet in the former cyber bunker. In addition, the two researchers were able to discover indications of the cryptomining and DDoS bot network Beta Bot and the rootkit Gaudox.

During a search, they noticed a total of 55 phishing domains that refer to an IP address in the address space of the cyber bunker. In particular the subdomain apple-serviceauthentication.com.juetagsdeas[.]org received a few more attempts. Further examples of phishing domains that were hosted in the cyber bunker are bank66, according to the researchers[.]com, r0yalbankrbc[.]com and [zufällige Subdomain].paypall-password[.]com

Also banner requests for the getmyad advertising network[.]com could be intercepted by the honeypot of the two researchers. The two explain that strings were transmitted from which the domains or content of the queries resulted. According to this, the advertising network mainly played pornographic, but also criminal content, including material that indicates the sexual abuse of children. According to the web archive, Getmyads was mainly active between 2016 and 2018. The last archived version of the website indicates the seizure of the cyber bunker.

Charges have been brought against suspected operators of the cyber bunker

The suspected operators of the cyber bunker were charged in April, although the evaluation of the 403 seized servers is ongoing. In order to speed up the proceedings, the charges were limited to seven acts, the Koblenz public prosecutor general said. In May, after research by Spiegel and NDR, it became known that the operators had rented servers to right-wing extremists.