Microsoft has announced that it has successfully disrupted a network of cybercriminals selling access to compromised accounts belonging to various organizations. The operation, which was carried out in collaboration with law enforcement agencies and security partners, targeted a group known as “Necurs,” believed to be behind some of the most prolific hacking campaigns in recent years.
According to Microsoft, Necurs offered a service called “Bulletproof Accounts” that allowed other hackers to buy or rent accounts that had been hacked by Necurs or its affiliates. These accounts could then be used to launch new attacks, such as ransomware, phishing or spam campaigns, against victims’ networks or contacts. Necurs also sold tools and services to help hackers evade detection and maintain persistence on compromised systems.
Microsoft said it used a combination of legal and technical actions to disrupt Necurs’ operations and take down its infrastructure. The company obtained a court order that allowed it to seize control of Necurs’ domains and servers, as well as block its communication channels. Microsoft also worked with Internet service providers, domain registrars and hosting providers to disable Necurs’ assets and prevent them from being reactivated.
As a result of the operation, Microsoft said it effectively cut off Necurs’ access to more than 10 million compromised accounts it had accumulated over the years. The company also said it notified affected organizations and individuals and provided guidance on how to protect their accounts and systems.
Microsoft’s corporate vice president of security and customer trust, Tom Burt, said in a blog post that the operation was a significant achievement in the fight against cybercrime and demonstrated the importance of collaboration between different stakeholders.
“Necurs is one of the largest and most dangerous botnets ever created, responsible for some of the most destructive and widespread cyberattacks in history,” said Burt. “By taking down this network, we have made a huge impact on the cybercriminal ecosystem and reduced the risk to millions of people and businesses around the world.”
Burt also urged users and organizations to take proactive steps to protect themselves from cyber threats, such as using strong passwords, enabling multi-factor authentication, updating their software and backing up their data.
Microsoft recently disrupted a major cybercrime operation that was responsible for creating and selling around 750 million fake Microsoft accounts.
The operation, dubbed Storm-1152 by Microsoft, “operates illegal websites and social networking pages, offering fraudulent Microsoft accounts and tools to bypass identity verification software on popular technology platforms.”
Microsoft says the fake accounts created by Storm-1152 are essential for the operation to continue. “Because companies can quickly detect and shut down fraudulent accounts, criminals need more accounts to circumvent mitigation efforts. Instead of wasting time creating thousands of fake accounts, cybercriminals can simply buy them from Storm-1152 and other groups.”
These accounts allow criminals “to focus on their ultimate targets for phishing, spam, ransomware and other forms of fraud and abuse,” Microsoft says.
One of the groups that collaborated with Storm-1152 is Scattered Spider, which allegedly hacked MGM Resorts recently.
Microsoft collaborated with Arkose Labs in the Storm-1152 investigation and on Dec. 7 obtained a court order from the Southern District of New York to seize the U.S.-based infrastructure and shut down the websites used by Storm-1152.