Endgame
Continuing a string of successful botnet takedowns, on Thursday, May 30th 2024, a coalition of international law enforcement agencies announced "Operation Endgame". This effort targeted multiple botnets such as IcedID, Smokeloader, SystemBC, Pikabot and Bumblebee, as well as the operators of these botnets. These botnets played a key part in enabling ransomware, thereby causing damages to society estimated to be over a hundred million euros.
Compromised accounts involved in operating these various pieces of criminal infrastructure have been shared with Spamhaus, who will help with remediating them.
Data
Adding this to try and see if the pipeline actually works Use the access key that Spamhaus sent you by email to access the list of affected email accounts below.What is Operation Endgame?
Operation Endgame is a coordinated international law enforcement action that targeted multiple key cybercrime botnets such as IcedID, Smokeloader, SystemBC, Pikabot and Bumblebee, as well as the operators of these botnets. It is the largest operation ever against botnets involved with ransomware.
An important part of operating cybercrime infrastructure like these botnets relies on the use of stolen credentials. Law enforcement has shared these accounts with Spamhaus, who will help with remediating them.
How were these accounts involved?
Threat actors acquire credentials by operating remote access tools (RATs) and infostealers and use these newly-compromised accounts to further spread malware, or to gain initial access into networks and organizations. The data we provide here covers these breached accounts.
As the data that is being shared has been recovered from various parts of criminal infrastructure, we were not able to verify each entry individually. Some of the reported accounts may be old or may have already been fixed. Due to the nature of the threat we feel that reporting the full set is nevertheless worth the effort.
Please note: that the data we share covers roughly the last 3 months (from February 2024 until end of May 2024), the current situation may be different.
What should be done?
All passwords for the identified breached (email) accounts should be changed as soon as possible.
What should we as the ISP or service provider tell our customers?
Here is a handy template you can use:
Dear Administrator,
Spamhaus, who is working in conjunction with international law enforcement,
has notified us regarding mailboxes that are hosted on a server that your user
controls. These email addresses were identified as having been potentially
compromised for use by the Endgame cybercrime group targeted.
We ask that you immediately reset the passwords of these mailboxes to prevent
any further abuse. This is the only action required to resolve this issue. The
list of breached mailboxes identified are as follows:
example@example.com
......
We greatly appreciate any action you take in securing these mailboxes and helping
to ensure that that they are not further abused by miscreants to do any harm to
other users on the internet.
Regards,
Example Trust and Safety Department
What do the various fields in the data mean?
Both the JSON and the CSV formats contain the same fields. Here is a CSV example:
#type, ip address, url or hostname, account, password
imap,192.0.2.1, mail.example.com, johnappleseed, *****tree
Type: Type of account (ADFS, IMAP, SMTP)
IP: IP address of the mailserver or ADFS server the account belongs to
Hostname: Hostname of the mailserver or ADFS server the account belongs to
Account: Account username
Password: The (partially redacted) password as it was found
A note on timing: this is information as-is from the malware infrastructure. We recommend a password reset if one has not been done recently, since the dataset was very recently actively used and may have been shared with other bad actors as well.
Where can I find publications about Endgame and the takedown?
Official publications: Operation Endgame website
Europol: Largest ever operation against botnets hits dropper malware ecosystem
Dutch National Police: Meerdere botnets ontmanteld in grootste internationale operatie tegen ransomware ooit
You contacted us at the wrong/out of date address, can this be changed?
Yes! Please tell us what addresses we should use instead by emailing:
remediation-team@spamhaus.org.
I have a question that is not answered here
You can get in touch with the team via our contact form.