STE WILLIAMS

Riverbed admins: get busy patching the SteelCentral Portal application.

Digital Defense discovered the bugs, which include two authentication flaws and two information disclosure vulnerabilities.

First, there’s an unauthenticated file upload bug in the portal’s UploadImageServlet, which delivers remote code execution at the system level.

A vulnerable directory can be accessed remotely, meaning the attacker can upload a JSP shell to run commands with system privileges. Once the attacker is in, they can get admin credentials, meaning “all connected SteelCentral Portal data sources” are compromised.

The second bug involves the H2 web console, which is accessible without authentication.

The Digital Defense advisory explains that the service was created as a developer tool, and wasn’t supposed to ship with the SteelCentral Portal.

The H2 console bypasses SteelCentral Portal’s PostgreSQL database access rules by connecting from localhost, and there are “easily obtainable default admin credentials,” so an attacker can create a new table, add a JSP shell to that table, and export the table to the Web application’s root directory. After that, the attacker pwns the host.

Finally, the DataSourceService Servlet and the roleService Web service both have information disclosure vulnerabilities.

The DataSourceService Servlet lets an attacker enumerate connected SteelCentral applications’ IP addresses and the admin account name; roleService spills valid usernames for the SteelCentral Portal. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/04/11/patch_for_riverbed_portal/

Now that the sulky Shadow Brokers gang has leaked its archive of stolen NSA exploits, security experts are trawling Uncle Sam’s classified attack code – and the results aren’t good for anyone using Oracle’s Solaris.

Matthew Hickey, cofounder of British security shop Hacker House, has been going through the dumped files, which once belonged to the spy agency’s Equation Group and are now handily mirrored on GitHub. Hickey today identified two key programs – EXTREMEPARR and EBBISLAND – that can escalate a logged-in user’s privileges to root, and obtain root access remotely over the network, on Solaris boxes running versions 6 to 10 on x86 and Sparc, and possibly also the latest build, version 11.

EXTREMEPARR elevates the logged-in user, or a malicious application or script, to root by abusing dtappgather, file permissions, and the setuid binary at. EBBISLAND attacks any open RPC service to spawn a remote root shell on the vulnerable box. Each exploit is packaged up for any attacker to use as they wish to hijack and commandeer vulnerable machines, either locally or on the other side of the internet.

“It’s like Christmas Day here at the moment,” Hickey told The Register. “They’ve effectively got a skeleton key to open a root shell on any Solaris system in the world. These are prebuilt static binaries and you can run them out of the box with very little technical knowledge.”

EBBISLAND exploits an overflow vulnerability in Solaris’s XDR code, and it is extremely stealthy, we’re told.

The NSA exploits are works of art, robust, reliable, anti-forensics, network IDS evasion techniques, static binaries for run-time. Beautiful

— Hacker Fantastic (@hackerfantastic) April 10, 2017

The NSA had the power to hack any Oracle Solaris box in the world via UDP/TCP generically with anti-forensics capabilities and its public.

— Hacker Fantastic (@hackerfantastic) April 10, 2017

EXTREMEPARR is adept at abusing file permissions to gain get full root access. Hickey noted the code contains references to Solaris 11 in its code and may be effective against the latest release of Oracle’s operating system.

Hickey said that he’s done a search on the connected devices search engine Shodan.io, and found thousands of vulnerable machines exposed on the public internet. But the real threat, he said, was that a lot more of these machines are going to be running internally behind firewalls, and the exploit code could be used to root these once an attacker gets a foothold within an organization.

Oracle declined to comment although we’re aware that the database giant’s security team is looking into the exploited vulnerabilities. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/04/11/solaris_shadow_brokers_nsa_exploits/

Attacks on Bitcoin just keep coming: ETH Zurich boffins have worked with Aviv Zohar of The Hebrew University in Israel to show off how to attack the crypto-currency via the Internet’s routing infrastructure.

That’s problematic for Bitcoin’s developers, because they don’t control the attack vector, the venerable Border Gateway Protocol (BGP) that defines how packets are routed around the Internet.

BGP’s problems are well-known: conceived in a simpler era, it’s designed to trust the information it receives. If a careless or malicious admin in a carrier or ISP network sends incorrect BGP route information to the Internet, they can black-hole significant chunks of ‘net traffic.

In this paper at arXiv, explained at this ETH Website, Zohar and his collaborators from ETH, Maria Apostolaki and Laurent Vanbever, show off two ways BGP can attack Bitcoin: a partition attack, and a delay attack.

The upside of both of these attacks is that they need an insider, because they happen at the ISP level.

They are, however, serious attacks.

In the partition attack, if an ISP is the only route between significant chunks of the Bitcoin network, a blackhole would stop the two sides communicating with each other.

Since the two “islands” will keep going – processing transactions, and mining new Bitcoin. When the “evil ISP” connects the islands together again, they have no option but to discard mined Bitcoins, transactions, and mining revenue.

The delay attack is nastier, in a way, because unlike the partitioning attack, the researchers say it’s undetectable.

Here’s how it works:

The delay attack impacts merchants by making them susceptible to double-spending attacks; miners waste their processing power; and ordinary nodes can’t propagate the latest version of the blockchain.

How did we get to this point?

Part of the problem is that Bitcoin’s nodes have tended to gather together at relatively few ISPs: thirteen in all host about 30 percent of the whole Bitcoin network; and 60 percent of Bitcoin traffic is visible to just three ISPs.

The researchers say BGP hijacking (which is usually but not always inadvertent) already affects as many as 100 Bitcoin nodes a month. November 2015 saw a peak in this: around 8 percent of the whole Bitcoin network (447 nodes) suffered a traffic hijack in that month.

The work is to be presented at the IEEE Symposium on Security and Privacy 2017 in May, in San Jose. The trio also say they’ll release code on GitHub offering a prototype of the delay attack. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/04/11/evil_isps_could_disrupt_bitcoins_blockchain/

Police in Barcelona have arrested a man suspected of being one of the web’s top spammers and the possible operator of a major botnet.

Pyotr Levashov, 36, was arrested on Friday by Spanish police in a joint operation with the FBI. The local authorities told the AP that the arrest was part of an investigation into the Kelihos botnet, which Levashov has been accused of running.

According to spammer monitoring site Spamhaus, Levashov is seventh on their list of the world’s top ten purveyors of unwanted emails and is a former associate of the self-styled Spam King Alan Ralsky. He is also the prime suspect behind the Kelihos – and possibly the Waledac – botnets.

At its height, Kelihos was hosted on over 42,000 infected machines and was capable of pumping out almost 4 billion spam messages per day. In September 2011, Microsoft claimed to have taken down the botnet, but it resurfaced less than a year later.

Coincidentally, the US Department of Justice (DoJ) unsealed court documents on Monday that explicitly name Levashov as the operator of the Kelihos botnet since 2010. The court documents [PDF] claim Levashov offered to send out a million spam messages for legal products for $200, with the price rising to $300 per million for adverts looking for money mules or $500 per million to carry out phishing attacks.

DoJ operatives have now begun shutting down command and control servers for the botnet and malicious domains associated with Kelihos, and are establishing substitute servers that receive the automated requests for instructions from the underground computer network.

“The ability of botnets like Kelihos to be weaponized quickly for vast and varied types of harms is a dangerous and deep threat to all Americans, driving at the core of how we communicate, network, earn a living, and live our everyday lives,” said Acting Assistant Attorney General Kenneth Blanco.

“Our success in disrupting the Kelihos botnet was the result of strong cooperation between private industry experts and law enforcement, and the use of innovative legal and technical tactics. The Department of Justice is committed to combatting cybercrime, no matter the size or sophistication of the scheme, and to punishing those who are engaged in such crimes.”

The Russian embassy confirmed that their citizen had been snaffled. “As it is routine in these cases, we offer consular support to our citizen,” said embassy spokesman Vasily Nioradze.

Shortly after Levashov’s arrest, his wife told the Russian propaganda TV channel RT that Spanish police locked her and a friend in a room while they questioned the arrestee for two hours. She claimed that when she spoke to Levashov by phone after his arrest, he said the arrest was down to his creation of a computer virus that was “linked to Trump’s election win.”

However, shortly afterwards RT removed the story from their website. It’s not clear if this was down to the story being unsubstantiated or if it was just no longer a line they wanted to push. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/04/11/spanish_police_snatch_suspected_top_spammer_after_us_request/

Your daily round-up of some of the other stories in the news

Hackers sound Dallas emergency sirens

Spare a thought for the denizens of Dallas, who were awoken late on Friday night when all 156 of the city’s emergency sirens were set off thanks to what city officials said was a hacking attack.

Mayor Mike Rawlings said that the attack, which saw sirens being sounded between 11.40pm on Friday and 1.20am on Saturday morning and 911 operators being swamped with calls from worried residents, “was an attack on our emergency notification system”.

When the sirens first started sounding, officials blamed a system malfunction, but then said they had had to take the system down completely to prevent the hackers attacking it again. City official Rocky Vaz told reporters: “We shut it down as quickly as we could taking into consideration all of the precautions an dprotocols we had to make sure that we were not compromising our 156-siren system.”

Livejournal clamps down on content

Livejournal, the Russian-owned blog community and early social media platform, is apparently shedding users in droves, reports Mashable, after it posted a change in its user terms to outlaw “political solicitation” on the platform and content that’s “contradictory to the laws of the Russian Federation”.

Critics say this will include pro-LGBTQ discussion, as similar phrases have been used to clamp down on LGBTQ issues as “gay propaganda”.

Livejournal, which has hosted blogs from fantasy and sci-fi authors such as Game of Thrones author George RR Martin, was acquired by a Russian company in 2007, and its hosting was moved to Russian servers in December last year.

Livejournal also said that blogs that get more than 3,000 visitors a day would now be classified as “media outlets”, which means they can’t publish anonymously, use obscene language or share “extremist materials”, i09 reported.

Russian man arrested in Barcelona

A Russian man arrested in Barcelona on Friday at the request of US authorities is thought to have been involved in hacking linked to the US presidential election last year.

Reuters reported that Pyotr Levashov was detained under a US international arrest warrant. Writing on his Krebs on Security blog, Brian Krebs claims that Levashov is better known as the hacker “Severa”, a “pivotal figure in many Russian-language cybercrime forums”.

Krebs notes that Levashov is “listed as #7 in the world’s Top 10 Worst Spammers list maintained by anti-spam group Spamhaus”.

Catch up with all of today’s stories on Naked Security

Follow @NakedSecurity
Follow @katebevan

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/q1aZaXoOl0c/

Shortly before midnight on Friday in Dallas, Texas, the city’s emergency sirens started to howl. Within minutes, all 156 of the sirens were blaring out and residents were starting to panic.

The city’s 911 emergency response system started to buckle under the strain of concerned residents calling in to report the disturbance. It took more than six minutes to get through to a human operator as more than 800 people rang in during the first 15 minutes. It usually takes 10 seconds to get through. But there was no emergency.

Initial reports suggested that the emergency response system had suffered a malfunction. However, officials then put out a statement blaming the incident on unknown hackers, who did not use the city’s computer systems but instead carried out the scam using radio waves.

The siren system is designed to be activated when severe storms approach the city. When a major weather alert is received, a message is sent out via radio to all the sirens and, although Dallas city management aren’t being specific, it appears hackers managed to mimic this system.

“Last night’s hack was an attack on our emergency notification system. We will work to identify and prosecute those responsible,” said the city’s Mayor Mike Rawlings.

“This is yet another serious example of the need for us to upgrade and better safeguard our city’s technology infrastructure. It’s a costly proposition, which is why every dollar of taxpayer money must be spent with critical needs such as this in mind.”

During the attack, which started at 11.41pm local time, city workers had to go around to each siren and turn them off manually, which took until 01.17am on Saturday. The system was reset and engineers began trying to figure out how hackers managed to disturb the start to everyone’s weekend.

According to a Dallas City Council spokeswoman, the emergency alert system is up and running again. Engineers are also checking the system, radio network, 911/311, police-fire dispatch, flood warning system, financial systems and more. It has asked the FCC for help in identifying the source of the attack.

In a press conference on Monday, city manager TC Broadnax told journalists that he was now confident that the city’s emergency response systems were locked down. He said that, with storm systems on the way, the response system is ready in the event of an emergency. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/04/10/hackers_set_off_dallas_emergency_siren_system/

The Internet Society has called for the full encryption of the internet, decrying the fact that securing the digital world has increasingly become associated with restricting access to law enforcement.

In a blog post aimed at the leaders of the G20 economies, ISOC CEO Kathryn Brown argues that the digital economy “will only continue to thrive and generate opportunities for citizens if the Internet is strong, secure, and trusted,” adding: “Without this foundation, the global digital economy is at risk.”

The G20 will meet in Hamburg in July and one of the main agenda topics is the “spread of digital technology” and its impact on economic growth. Notably, there will be a “digital affairs ministers conference” for the first time at the summit, and the importance of the topic was highlighted with a special two-day preparatory meeting last week attended by “ministers in charge of digitalization.”

“Germany wants them to agree to a concrete plan – one that includes affordable Internet access across the world by 2025, common technical standards and a focus on digital learning,” wrote Brown at the conclusion of that prep meeting, presumably having been briefed on discussions.

The post gives some figures on the digital economy – 360 million people; 28 per cent of output is digital; the internet contributes $6.6tn a year – before getting to the point: interconnection and security.

“The truth is that economies can only function within a secure and trusted environment,” Brown notes, “which brings us to encryption.”

Engineering

Internet engineers have long been strong advocates of increased online security (something that has been difficult since the internet’s earliest building blocks largely ignored the idea of malicious activity), and the Internet Society reflects that belief back: “Strong encryption is an essential piece to the future of the world’s economy and the Internet Society believes it should be the norm for all online transactions. It allows us to do our banking, conduct local and global business, run our power grids, operate communications networks, and do almost everything else.”

Brown goes on: “Encryption is a technical building block for securing infrastructure, communications and information. It should be made stronger and universal, not weaker.”

But then she also notes that in the past year, the issue of encryption has become intricately tied up with the issue of law enforcement trying to gain access to people’s communications and being unable to do so.

In the lead-up to the US presidential election, the fight between the FBI and Apple over the phone of San Bernardino shooter Syed Farook became a hot topic. Politicians and law enforcement called for a backdoor (or even a frontdoor) to the latest encryption efforts, and tech companies, security bods, civil society and some federal agencies called that notion “magical thinking” because any hole introduced into encryption software is an exploitable hole that anyone can use – and abuse.

Last month, the issue re-emerged following an attack in London, when the UK home secretary Amber Rudd specifically criticized Facebook-owned WhatsApp for not providing access to the app-based conversations of attacker Khalid Masood.

Just days later, EU Justice Commissioner Věra Jourová said she would introduce legislation to make it easier for law enforcement to gain access to encrypted apps’ data. That followed calls from French and German ministers for ways to access encrypted comms.

Backtrack

However, following a now-familiar backlash to such calls from cybersecurity experts, Rudd then downplayed her call for access to encrypted communications. Jourová’s department insisted she did not mean to imply the legislation would cover encryption – only access to data stored in the cloud by encrypted apps (which presumably she expects to be unencrypted).

ISOC CEO Brown is not happy about how this conversation is defining the debate around encryption. “Rather than being recognized as the way to secure our online transactions or our conversations, all too often the debate focuses on the use of encryption as a way to thwart law enforcement,” she complains, arguing: “To undermine the positive role of encryption in the name of security could have devastating consequences.”

The Internet Society is usually diplomatic to the point of saying nothing, so when its CEO says, “we should recognize that encryption is key to the future digital economy and stop treating it as simply an obstacle to law enforcement,” it is clear that the level of frustration among internet engineers is high.

Hammering the point home, she adds: “We need to deconstruct the issues faced by law enforcement and policy makers and agree together how we can achieve a trusted digital economy underpinned by encryption.”

ISOC clearly sees July’s G20 Summit as the best opportunity to address that concern, with Brown calling it a “turning point that should not be missed.” And its position is stated simply: “The Internet Society calls for ubiquitous encryption for the Internet. We strongly believe that this is the best foundation for trust in the digital economy, and we urge the G20 nations to stand behind encryption.”

Whether that technical message makes it past the politics of terrorism is going to be hard to discern, but there is little doubt that a more secure online environment is going to be a healthier one financially and ISOC and others will be hoping that money talks louder than fear. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/04/10/internet_society_full_encryption/

For all those sysadmins tired of having to make excuses for why they haven’t moved to IPv6, worry no more: the new protocol brings with it the risk of network infiltration.

That’s according to NATO’s Cooperative Cyber Defence Centre of Excellence, which has published a research paper [PDF] claiming it is possible to set up undetectable communications channels across networks that could be used to pull out data and control systems remotely.

There’s only one downside for IPv6 laggards: the security holes come as a result of IPv4 to IPv6 transition tools.

“Tunnel-based IPv6 transition mechanisms could allow the setup of egress communication channels over an IPv4-only or dual-stack network while evading detection by a network intrusion detection system,” the authors – who also came from Estonia’s Tallinn University of Technology – wrote in the paper titled Hedgehog in the Fog: Creating and Detecting IPv6 Transition Mechanism-Based Information Exfiltration Covert Channels.*

For their research, they dug into a range of transition technologies and focused on two tools for creating covert communications channels; tools that they describe as “proof-of-concept.”

The results were produced in a virtualized environment rather than the real world and assumed an insider threat, ie, that someone already had access to your network and wanted to push information outside without being noticed.

Reconfigure

As such, the threat is not a huge one, we are sorry to inform lackadaisical network operators. But it does reflect a real risk, largely because network intrusion and monitoring tools were found not to work (in some cases because the tools simply don’t support IPv6).

Although the main threat comes from an insider – and let’s be honest, there are plenty of other ways someone trusted inside your network could get information out unnoticed – there is a real risk that hackers could use the approach outlined to escape notice once inside a network.

The researchers used a range of intrusion detection systems from Bro, Moloch, Snort and Suricata to see if the tunneling approach could be detected. Thanks to the combination of connections and protocols, they failed to do so most of the time.

The researchers used four indicators: Y for clear identification of malicious activity; P for partial identification – an alert with little or no description; V for visible detection, ie, included in logs but one that required a person to identify and analyze; and N for no alerts or logs.

The best-performing software in this case managed to actively recognize the threat about a third of the time; the worst picked up nothing at all.

What’s the solution? According to the authors, nothing short of a wholesale review of how network traffic is interpreted. Sysadmins need to look at how their security systems are configured to make sure they pick up any unusual traffic flows made using this technique. ®

* Why “Hedgehog in the Fog”? There is no explanation in the paper itself but we suspect it has something to do with a famous 1975 Russian animation about a hedgehog that gets lost in the fog on the way to see a friend for tea and comes across what look like various terrifying animals, although it’s hard to be sure what they are. That’s what happens when you team up with Estonians for your research.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/04/10/ipv6_security_concerns/

Symantec matches tools exposed in Vault 7 documents leak reportedly from the CIA with those used by cyber espionage group that has been targeting governments and private businesses.

Researchers at Symantec have established a connection between the Vault 7 documents released by WikiLeaks and a cyberespionage group with a multi-year history of targeting governments and private companies. WikiLeaks says the tools in Vault 7 are from the CIA.

Symantec has been watching this group, nicknamed Longhorn, since 2014. The group has been active since at least 2011, with evidence of activity dating back to 2007.

In that time, it has used a range of methods, from backdoor Trojans to zero-day vulnerabilities, to compromise 40 targets in at least 16 countries across Europe, Asia, Africa, and the Middle East. Researchers discovered one attack hit a computer in the US, but an uninstaller was immediately launched following the event — a sign it was unintentional.

While Symantec didn’t explicitly say Longhorn is the CIA, it concluded the group’s tools bear similarities to those in the Vault 7 documents.

“Given the close similarities between the tools and techniques, there can be little doubt that Longhorn’s activities and the Vault 7 documents are the work of the same group,” the company wrote in a blog post.

For example, Vault 7 contains notes and feature release dates for a piece of malware called Fluxwire. The timeline is similar to Corentry, a Longhorn tool tracked by Symantec. According to samples obtained by Symantec, Corentry was consistently updated with new features on the same dates, or several days after, the dates listed in Vault 7.

“That’s the biggest piece of evidence,” says Eric Chien, director of Symantec Security Response, of the matching timelines. “It’s sort of hard to argue with.”

Another similarity was found between Vault 7 document Fire and Forget, a specification for installing malware modules through a tool called ArchAngel. The specification and interface used to load modules closely match a Longhorn tool called Plexor.

A third Vault 7 document includes cryptographic protocols for other malware tools, including the use of cryptography within SSL to prevent man-in-the-middle attacks, use of AES with a 32-bit key, and key exchange once per connections. All of these requirements are similar to cryptographic rules found in Longhorn.

Chien says the malware attack tools were built to spy on other countries. “Look at them as all-purpose backdoors,” he says. “They can do anything on a machine that they would want with it.”

The attacks have affected organizations in the energy, financial, telecom, aerospace, education, information technology, natural resources, and education industries. There is no trend indicating one type of industry is at greater risk, but they all have a common similarity.

“We’re not seeing anything like financial attackers transferring money. Everything looks to be very espionage-related and state-espionage related,” Chien says.

The activity recorded here is different from that exposed by NSA whistleblower Edward Snowden, he continues. NSA aimed to gain access to infrastructure; for example, by compromising mail servers or DNS servers.

Longhorn’s toolsets are designed differently. They use “human assets,” or commissioned insiders, to launch attacks within an organization. Chien cites the example of a VLC multimedia application modified to accept commands and seek documents. The application would be given to an insider who would enter the business and launch the app so the hackers could seek documents of interest.

“They wouldn’t use it unknowingly,” he notes. “It was designed to give to someone who knew something was going on,” but didn’t know what was happening behind the scenes.

Following the Vault 7 leak, Chien says it’s unlikely these specific tools will be deployed again by the cyber espionage group. He says the group will revamp their toolsets and come back.

Chien emphasizes that for businesses, this is “not just another threat.” Businesses need to understand the dangers, revisit their threat models, and implement a comprehensive incident response procedure for such advanced attacks.

Related Content:

• Setting Up Security as a Business: 3 Best Practices for Security Execs
• China-Based Threat Actor APT10 Ramps Up Cyber Espionage Activity
• Matching Wits with a North Korea-Linked Hacking Group

Kelly is an associate editor for InformationWeek. She most recently reported on financial tech for Insurance Technology, before which she was a staff writer for InformationWeek and InformationWeek Education. When she’s not catching up on the latest in tech, Kelly enjoys … View Full Bio

Article source: http://www.darkreading.com/attacks-breaches/cia-linked-hacking-tools-tied-to-longhorn-cyber-espionage-group/d/d-id/1328597?_mc=RSS_DR_EDT

Suspected mastermind behind massive Kelihos botnet Petyr Levashov nabbed in botnet takedown operation.

The cybercrime underground is abuzz with the news that the infamous alleged spammer and Kelihos botnet operator Pyotr Levashov was arrested this weekend in Barcelona while on holiday there.

Levashov, a Russian citizen, was arrested by Spanish authorities via US cybercrime charges, and as part of a US Department of Justice takedown effort of the Kelihos botnet made up of tens of thousands of infected bots that distributed spam, stole login credentials, and installed ransomware and other malware. DoJ said it began blocking malicious domains tied to Kelihos on April 8.

The DoJ announced his arrest today as part of an effort to disrupt and take down Kelihos. “The operation announced today targeted an ongoing international scheme that was distributing hundreds of millions of fraudulent e-mails per year, intercepting the credentials to online and financial accounts belonging to thousands of Americans, and spreading ransomware throughout our networks,” said Acting Assistant Attorney General Kenneth Blanco.

Levashov’s arrest sparked alarm and chatter online among other big players in the Russian cyber underground concerned about their own unmasking and possible indictment or arrest. Vitali Kremez, director of research at Flashpoint, says his firm has witnessed some underground players planning to tighten up their own operations, and that their chatter also confirmed that Levashov is also known by the alias Peter Severa. Levashov/Severa is listed by Spamhaus as one of the 10 Worst Spammers in the world.

“We’ve been looking into him for quite some time,” Kremez says. “He’s one of the most wanted and prolific spammers who’s ever operated in the Russian underground.”

A source close to the case said Levashov’s indictment will be unsealed tomorrow.

Not only is he behind spam and malware-rigged email campaigns, but Levashov also is tied to click-fraud and distributed denial-of-service operations. He’s considered a spam service provider to various underground attackers. “He’s been operating underground the past 20 years successfully evading prosecution,” Kremez says.

Levashov was indicted in 2009 but not extradited to the US for operating the Storm botnet, a predecessor to Kelihos that was then the world’s largest spamming botnet. He faced charges for spam to promote pump-and-dump penny stock schemes.

Adding to the intrigue surrounding his apprehension this weekend after nearly two decades of allegedly operating as one of the world’s most prolific spammers and botnet operators, the AP reports that Levashov also may have ties to Russia’s hacking and leaking of information in an attempt to interfere with the outcome of the 2016 US presidential election.

His wife was quoted by Russian state media outlet RT that her husband later told her by phone that he was arrested in connection with malware “linked to Trump’s election win.”

Given the notoriously grey area between cybercriminals and the Russian government, security experts say it’s not a big stretch that Levashov could have had a hand in the hacking activities by Russia last year to influence the US presidential election. But there’s no indication thus far of his involvement.

Flashpoint’s Kremez says Levashov indeed has ties to the Russian government, but can’t conclude that he was involved in the US election hacking operation. Levashov previously has been linked to pro-Russian government groups distributing spam including hacktivist group CyberBerkut. “He would be the perfect cybercriminal for hire with his email filters and other tradecraft to deliver email” spam campaigns, Kremez says.

Both Kelihos and CyberBerkut have operated pro-Russian government online campaigns spreading anti-Ukraine and pro-Russian rhetoric. CyberBerkut recruited pro-Russian government “cyberwarriors” to target Ukrainian websites in a distributed denial-of-service effort called Help Your Homeland, Kremez notes, and also is known for strategic leaks of information aimed at shaping public perception.

“And it’s likely his botnet was also involved in the distribution of email spam linked to Russia’s interference in the” US presidential campaign, he says.

If Levashov ultimately were to be investigated for any ties to the US election, it wouldn’t be the first time he’s dabbled in election-influence hacking. In 2012, his Kelihos botnet was used to send spam emails to Russian citizens with political messages and links to phony news stories about the then-presidential opponent to Vladmir Putin, Mikhail Prokhorov.

“The lines between criminals and nation-state in Russia are more blurred than places elsewhere. Levashov has been known to play on both sides of the line. In 2012, he used his spamming capabilities to slander Putin’s opponents in the presidential election,” says John Bambenek, manager of threat intelligence systems at Fidelis Cybersecurity.

But Bambenek isn’t sold on Levashov’s involvement in the US presidential campaign hacks. “The hacking of DNC and John Podesta’s email wouldn’t be terribly heavy lifts for him, but they’re not really in his wheelhouse” of operations since those were more social media-centric campaigns, he says.

Headless Botnet

The good news is that the Kelihos takedown could result in less spam and malware-laden email in the short-term. “We may see less spam emails being distributed,” Kremez predicts.

Levashov’s arrest may not kill Kelihos in the long run – botnet disruptions often are temporary as botnets get reinvented – but it does have a chilling effect on cybercriminals, at least in the short-term. “Every arrest has people thinking, taking a step back,” Fidelis’ Bambenek says. “In some cases, they make improvements, in some cases, they make different decisions” to evade authorities, he says.

The fact that one of the most wanted cybercriminals in the world dared to venture outside of Russia and risk arrest and extradition in Spain suggests he may have become overly confident and complacent about his immunity to law enforcement.

“We’ve known about this guy for a long time. He has operated fairly openly since 1999. I know the Russian authorities had been informed about his operations,” Kremez notes. Levashov may have even wrongly assumed the Russian government would protect him outside of Russia, he says.

Levashov faces wire fraud charges.

Related Content:

• Trump Extends Obama’s EO for Sanctioning Hackers
• Botnet Takedowns Spur Debate Over Effectiveness, Ethics
• DoJ Indicts Russian FSB Officers and Cybercriminals in Yahoo Breach

[Check out the two-day Dark Reading Cybersecurity Crash Course at Interop ITX, May 15 16, where Dark Reading editors and some of the industry’s top cybersecurity experts will share the latest data security trends and best practices.]

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: http://www.darkreading.com/attacks-breaches/one-of-worlds-most-wanted-and-prolific-alleged-spammers-arrested/d/d-id/1328600?_mc=RSS_DR_EDT