Microsoft helped stop a botnet controlled via an LED light console

Microsoft says that its Digital Crimes Unit (DCU) discovered and helped take down a botnet of 400,000 compromised devices controlled with the help of an LED light control console.

The botnet was used by the threat actors who controlled it for a wide variety of purposes ranging from phishing campaigns, malware distribution, ransomware payloads delivery, and launching distributed denial-of-service (DDoS) attacks.

"To the team’s surprise, these activities correlated to as much as one terabyte (TB) of malicious content being sent out a week," Microsoft said.

LED light control console used to launch cyberattacks

"The DCU team delved deeper by mapping more than 400,000 publicly available IPs and narrowed that information down to 90 suspicious IPs," the report explains.

"An open data search of those 90 IPs further refined the analysis and revealed something alarming: One particular IP was associated with dozens of activities related to the distribution of malware, phishing emails, ransomware, and DDoS attacks."

The Microsoft DCU Taiwan team alerted and shared the info discovered in August 2019 with Taiwan’s Ministry of Justice Investigation Bureau (MJIB).

MJIB's agents were able to track down the IP address behind these attacks using the intelligence info supplied by the DCU and they found that several accounts hidden by a VPN using the IP were behind malware attacks initiated "from inside an office building in rural northern Taiwan."

"Usually, cybercriminals use compromised PCs to launch cyberattacks," Microsoft said. "But this time, the source was identified as a LED light control console, a seemingly insignificant IoT device."

The MJIB shut down the device used by the attackers as a botnet command-and-control server, thus stopping it from spreading out more malicious payloads and launching other DDoS attacks.

22 botnets taken down since 2010

The botnet was discovered after a DCU Taiwan analyst spotted a weird botnet signal spike that eventually increased over 100 times within a single month.

This was the spark that triggered the Taiwan law enforcement officers' operation which led to the shut down of a 400K-strong botnet controlled with the help of a harmless-looking IoT device.

"This case marks a milestone," Fu-Mei Wu, the Director of MJIB’s Information and Communication Security Division, said.

"That’s because we were able to take down the IoT device and secure the breach to a limited range for those compromised computers in Taiwan, which is quite different from our previous global cooperation cases."

In total, Microsoft's DCU team has taken down 22 botnets so far since 2010 with the help of ISPs, domain registries, government CERTs, and law enforcement agencies from across the world.

Last month, Microsoft and industry partners coordinated the takedown of Necurs, one of the largest ever spam botnets, a botnet known for distributing malware payloads used to infect millions of computers since 2012.

According to Microsoft's investigation, a single Necurs-infected device was observed sending roughly 3.8 million spam messages to over 40.6 million targets within 58 days.

Comments are closed.