05 April 2016

CERT-UK / NCA Warning LIRs about Locky

A few days ago I received a curious email to the abuse contact for one of my LIR netblocks as follows;

Subject: [nosign]ip xx.xx.xx.xx
From: xxxxx@cert.gov.uk

Dear Sir or Madam,
 
We would like to draw your attention to irregular activity on what is believed to be your network range.
 
This notification forms part of the National Crime Agency's (NCA) continued efforts to mitigate cyber criminal activity and improve UK cyber resilience following the success of a national campaign in March 2015.
 
Similar information could be brought to you courtesy of CERT-UK Network Reporting (CNR), a service which collects aggregated threat data from providers across the world. Subscribers to this service elect to receive free, up-to-the-minute threat information about their network range.
 
In conjunction with the NCA and UK Regional Law Enforcement teams, CERT-UK encourages hosting providers to:
 
1. Subscribe to the CNR platform; further information is available at https://www.cert.gov.uk/cnr/
2. Participate in the Cyber-security Information Sharing Platform (CiSP); further information is available at https://www.cert.gov.uk/cisp/.
3. Report criminal activity via Action Fraud at http://www.actionfraud.police.uk/
 
Further information on the NCA's National Cyber Crime Unit and UK Law Enforcement is available at http://nationalcrimeagency.gov.uk/about-us/what-we-do/national-cyber-crime-unit
 
Details of the irregular activity is shown below:
---------------------------------------------------------------------  
source  time    ip  asn      Geo       email     company             type       malware description
 
2016-03-08 20:36:33Z      xx.xx.xx.xx            xxxxxx  GB          xxxxxxxxxx        ransomware      locky

The server in question was a headless CentOS 6 install so was very unlikely to be infected with Locky however it does do a bit of web crawling. Curious as to how the NCA / CERT-UK decided I had a compromised machine I wrote back to the person who sent the email and to an NCA NCCU officer I met at UKNOF.

The first reply was from CERT-UK and was 'signed' as "NCA and CERT-UK", they indicated that the server in question was 'calling out' to a domain associated with Locky.

Hi Gareth,
 
The IP xxx.xxx.xxx.xxx was identified because it was calling out to a domain which was being hosted on a server being used to store locky ransomware.
 
Hope this helps.
 
Kind regards,
 
xxxxxxxxxx
 
NCA and CERT-UK

So it seems that my server had been flagged for crawling / hitting a locky C&C server but that still begs the question how they knew? The answer is that the NCA or its partners had seized the domain / server in question and processed the logs;

OFFICIAL

Hi Gareth
 
Thank you for your message, this particular information was obtained from a server log relating to a domain that was identified on the 10th March as being used to store Locky ransomware.
 
With regards to CERT’s Network Reporting (CNR) I understand they issue alerts based on a number of network abuse feeds that they receive as part of their role as the nations CERT.
 
If you have any more queries, please do not hesitate to contact me.
 
Kind regards.
 
 
xxxxxxxxxx xxxxxxxxxx
Senior Officer, xxxxxxxxxxxx
National Cyber Crime Unit  
National Crime Agency

This raises two questions;

  • Were the malware authors keeping a log of everyone they targeted or was the payload being served from an innocent (compromised) 3rd party server?
  • Did the party that seized control of the C&C keep it running (possibly defanged) but tracked all the hosts that connected to it?

Another question that might be one for the Don't Spy on Us coalition is whether the "network abuse feeds" the NCA refer to are a precursor to the Investigatory Powers Bill Internet Connection Records or some other form of feed (e.g. reports from entities like Team Cymru or Symantec)

On one hand I'm really pleased to see the NCA and CERT-UK contacting ISPs with information like this so they can contact their customers to help clean up infections but on the other hand what's to stop the NCA from monitoring those who connect to Tor bridges / relays, torrent servers, wikileaks etc and using that information for nefarious, dystopian purposes?