The DOT Report: Justice Department Heads 911 S5 Botnet Takedown, Paris Olympics Under Threat

The DOT Report covers the largest headlines in cybersecurity news each month to zoom in on the tools, measures, and trends involved in real incidents. This gives us the chance to discuss cybersecurity through a practical lens, demonstrating how our concepts work.

Join us below to explore these stories and learn about the cybersecurity measures and philosophies in play.

If you want to stay on top of the latest headlines in the cybersecurity space, keep up with recent trends, and learn about the newest technologies on the scene, subscribe to the DOT Security blog.

Widespread 911 S5 Botnet Taken Down

An international law enforcement operation led by the US Justice Department has successfully disrupted a botnet known as 911 S5. The botnet was used for cyberattacks, fraud, child exploitation, harassment, bomb threats, and export violations.

YunHe Wang, a Chinese national and St. Kitts and Nevis citizen, was arrested for deploying malware and running the botnet. The dismantled botnet compromised millions of residential Windows computers worldwide, generating millions of dollars for Wang by offering cybercriminals access to these infected devices.

From 2014 to 2022, Wang allegedly propagated his malware through VPN programs and bundled it with other software. He managed approximately 150 dedicated servers, which he used to control the infected devices and operate the 911 S5 service. The botnet facilitated various cybercrimes, including financial fraud, identity theft, and child exploitation, causing billions of dollars in losses.

“The United States estimates that 560,000 fraudulent unemployment insurance claims originated from compromised IP addresses, resulting in a confirmed fraudulent loss exceeding $5.9 billion.”

Wang earned about $99 million from the botnet, using the proceeds to purchase luxury items and properties globally.

The operation; which involved agencies from the US, Singapore, Thailand, and Germany; resulted in the seizure of assets worth approximately $30 million and the termination of Wang's efforts to reconstitute the service. The US Treasury Department also issued sanctions against Wang and his associates.

Wang faces charges of conspiracy to commit computer fraud, wire fraud, and money laundering, with a potential maximum penalty of 65 years in prison. A major win resulting from an investigation that received significant support from various international law enforcement and private sector partners.

Paris Olympic Games Being Targeted

Russia has intensified an online disinformation campaign targeting France and the upcoming Paris Olympics. This campaign includes fake news websites and a feature-length documentary aimed at tarnishing the reputation of the International Olympic Committee (IOC) and suggesting that the summer games will face violence.

A key part of the disinformation involves impersonating militant organizations and fabricating threats linked to the Israel-Hamas conflict. Russian-backed entities, identified by Microsoft as Storm-1679 and Storm-1099 (also known as "Doppleganger"), have used various tactics, including digitally generated images and falsified French news websites, to spread these claims.

These entities have amplified narratives of IOC corruption and potential violence at the games and continue to escalate the campaign following the IOC's decision to allow Russian athletes to compete as neutral competitors.

Security Information and Event Management (SIEM) Systems Underperforming

A new report from AI-powered security engineering startup CardinalOps Ltd. reveals that enterprise Security Information and Event Management (SIEM) tools are significantly underperforming in detecting cyberthreats.

Analyzing 3,000 detection rules and 1.2 million log sources across major SIEMs like Splunk, Microsoft Sentinel, IBM QRadar, and Sumo Logic, the report found that these tools cover only 19% of the MITRE ATT&CK techniques, although they have the potential to cover 87%.

The MITRE ATT&CK framework categorizes the tactics used by cyber adversaries, serving as a guide for understanding and defending against cyberattacks. While the current MITRE ATT&CK v14 framework outlines 201 techniques, the enterprise SIEMs examined only detected 38 of them.

Additionally, 18% of the SIEM rules were found ineffective due to issues like misconfigured data sources or missing fields, which can lead to undetected threats.

The report identifies several reasons for this gap, including the complexity of evolving environments, reliance on manual processes, and advanced adversary techniques. Not only that, but security teams are often overwhelmed by the need to manage diverse log formats, event types, and alert types from multiple security tools.

This complexity makes it challenging to implement effective SIEM detections uniformly across different organizational environments.

The findings highlight the inadequacy of a “one-size-fits-all” approach to SIEM detections, as IT environments, regulatory requirements, and team structures vary widely among organizations. The study also notes the increasing prevalence of multi-SIEM environments, with 43% of organizations using two or more SIEMs in production.

RansomHub Ramping Up Operations

In the shifting landscape of cybercrime, RansomHub has emerged as a significant player, especially appealing to affiliates abandoned by the now-defunct ALPHV/BlackCat. Launched on February 2, 2024, on the RAMP criminal forum, RansomHub invited affiliates to join its new ransomware-as-a-service (RaaS) program, emphasizing security and reliability for its members.

RansomHub's first victim came shortly after, and by April, it had already made a notable impact by targeting Change Healthcare, which had previously been compromised by ALPHV.

Afterwards, RansomHub rapidly claimed 74 known victims, including prominent names like Frontier Communications and Christie's Auction House. The latter's breach has sparked a class-action lawsuit, highlighting potential impact to consumer protection laws due to data brokering and the creation of "fullz" packages—full profiles of individuals that can facilitate serious identity theft and other crimes.

The group's growth is partly attributed to its payment structure, which prioritizes affiliates' earnings, attracting many experienced cybercriminals.

RansomHub operates globally but avoids targeting countries within the Commonwealth of Independent States, Cuba, North Korea, and China—a common practice among Russian-affiliated groups. Its attacks focus on high-value targets in healthcare, finance, and manufacturing sectors, primarily in the US, UK, Germany, Canada, and Australia.

The group's tactics, techniques, and procedures (TTPs) show significant similarities with ALPHV, including overlapping infrastructure and ransomware code, which further suggests a close connection between the two.

The evolution of RansomHub ties back to previous ransomware groups. It shares code similarities with ALPHV, Cyclops, and Knight, with researchers believing RansomHub might have used Knight's source code.

This continuity is part of a broader pattern where ransomware groups rebrand and evolve, maintaining core techniques while changing names and affiliations. Researchers piece together these connections through timelines, TTPs, and detailed analysis of code, infrastructure, and attack methods, revealing the complex web of modern ransomware operations.

Signing Off

The stories this month remind us of the importance of keeping your business technology updated, highlight the ongoing international fight against cybercrime, and shed additional light on the operations and infrastructure of cybercrime syndicates. Together, these insights underscore how critical it is to install a modern and comprehensive cybersecurity strategy.

By investing in a complete cybersecurity strategy you put yourself in the best position possible to protect your data, your network, and most importantly, your people.

Subscribe to the DOT Security blog to stay updated on all of the recent headlines, biggest updates, and newest industry trends in the cybersecurity space.