Podcasts
The Microsoft Threat Intelligence Podcast
Ep 49
The Microsoft Threat Intelligence Podcast 7.23.25
Ep 49 | 7.23.25

Inside Microsoft’s Global Operation to Disrupt Lumma Stealer’s 2,300-Domain Malware Network

Show Notes
Transcript

Sherrod DeGrippo: Welcome to the "Microsoft Threat Intelligence Podcast." I'm Sherrod DeGrippo. Ever wanted to step in to the shadowy realm of digital espionage, cyber crime, social engineering, fraud? Well, each week dive deep with us in to the underground. Come here for Microsoft's elite threat intelligence researchers. Join us as we decode mysteries, expose hidden adversaries, and shape the future of cybersecurity. It might get a little weird. But don't worry. I'm your guide to the back alleys of the threat landscape. The malware wasn't loud. It didn't crash systems or disrupt operations. Instead it ran quietly stealing passwords, exfiltrating data, and quietly infecting nearly 400,000 Windows machines around the globe. This malware? Lumma Stealer. It's a slick customizable tool for digital theft used by hundreds of criminals looking to profit off of your data. But this time the story didn't end with ransomware and a catastrophe. It ended with a global take down. In a coordinated operation across multiple countries and industries Microsoft's digital crimes unit working alongside the U.S Department of Justice, Europol, Japanese authorities, and other cybersecurity companies seized control of 2,300 malicious domains, dismantled Lumma's infrastructure, and cut the cord on one of the most widespread info stealer operations in recent memory. I am Sherrod DeGrippo, director of threat intelligence strategy at Microsoft. And today I am joined by two of the people at the center of that mission, Richard "Bosco" Boscovich, assistant general counsel at Microsoft DCU. Bosco helped lead the legal charge securing court orders, authorizing domain seizures, and leveraging civil law to out maneuver criminals at scale. I'm also joined by Derek Richardson, principal investigator at the DCU. Derek was on the digital front lines mapping out Lumma's infrastructure, coordinating with our global partners, and gathering the intelligence that made all of this possible. We'll explore how this stealthy malware was stopped in its tracks and what it tells us about the evolution of the crime ecosystem. We'll also learn how public private partnerships are impacting the playbook for all of you who are defenders. So Derek, Bosco, welcome to the "Microsoft Threat Intelligence Podcast."

Richard Boscovich: Thank you for having us.

Derek Richardson: Glad to be here.

Sherrod DeGrippo: So we love the DCU, the digital crimes unit at Microsoft. Derek, could you give our listeners just kind of a quick overview of what the DCU is and what it does?

Derek Richardson: Sure. Yeah. So I've been with the DCU for about 12 years now and so over the course of that, those 12 years, the mission's actually changed quite a bit. It's been, you know, taking down cyber crime generally, but the types of cyber crime, the subject matters that we've dealt with, have changed quite a bit. Earlier on there was a lot of Windows license key pirating stuff we'd go after. At that same time Bosco already had his malware disruption cases up and running. And then we kind of we did some other things. We did online child exploitation work. We did tech support fraud work. We still do some of that, you know taking down Indian call centers with law enforcement, things like that. We're focusing quite a bit on business email compromise which is essentially spear phishing for highly moneyed organizations. And we still do a lot of malware disruptions like this Lumma one and this was I think pretty successful. So glad to be a part of that one. And we're focusing quite a bit now on disrupting malicious use of AI as well. And so yeah. It's really any kind of cyber crime that we think is particularly high priority to take down so that we can better protect our customers and just better clean up the internet kind of generally.

Sherrod DeGrippo: I love that. It really is a kind of like superhero role really taking on the like villains across the ecosystem and finding ways to disrupt them and impose cost which is a huge mission as well for MSTIC. Threat actor disruption is the forefront of how we think and how we make decisions. So Bosco you've been on the show before and you do something that I find endlessly fascinating. So I'm going to ask you if you could walk us through the legal reasoning behind this Lumma action. What are the legal mechanisms that we use? Because your audience here is threat intelligence analysts, detection engineers, cybersecurity professionals. We're not necessarily familiar with the law like you are.

Richard Boscovich: Yeah. I mean again thanks for having us. It's always great coming back and then going over some of our work. I mean this case really is from a legal perspective and from an investigative perspective it was really a huge lift for the investigators such as Derek and the rest of the team. On the legal side, you know, we've been doing this for quite some time. And so we've kind of developed our playbook. And we have kind of some standard causes of action on the civil side that we use. The more interesting one here which we've used in the past, but we had to apply given the type of organization we were looking at was basically the RICO again, the Racketeer Influenced Corrupt Organization, Act.

Sherrod DeGrippo: RICO -- sorry to interrupt, but RICO is like what they use for the mafia and like organized crime. Right?

Richard Boscovich: Yeah. In fact if you look at it historically, you know, if you're in to like movies and the law, this is interesting. RICO basically was passed in the I think it was the mid '70s. It was kind of like the result of the opium and the drug wars in Brooklyn that actually made it in to a film that to this day is kind of really, really big. That -- with Gene Hackman. The name escapes me right now. But it basically is kind of like a conspiracy, but it's a bit easier to plead. And the reason why we use it is because there's a civil component. In other words a civil litigant could actually bring a civil RICO case as opposed to, for example, criminal conspiracy case which is a title 18 can only be brought by the government. So in this case, and Derek will go in to some detail, what they were doing basically is, you know, selling this as a service. There were multiple players and each players did different types of things from developers to folks that then bought the kit and then set up their own infrastructure. So legally how do you put all of these different players, many of them might not need to know each other, in to one particular legal action? We have to use RICO because RICO allows us to kind of bring them all together. It's a racketeering corrupt organization and they're all pursuing a common goal and purpose, but we don't have to prove that they know each other, only that they're acting in a way that furthers the purpose. So that was kind of like the main mechanism that we used to bring everybody in from the developers to the folks that marketed it, to the folks who bought it and implemented it and was doing the fraud. And then underneath that you go ahead and have your standard causes of action such as intrusion, trespass the chattels which reviews -- we've pioneered for over 17 years. And other [inaudible 00:07:34] type copy trademark type of causes of action as well, Sherrod.

Sherrod DeGrippo: What is trespasses to chattels?

Richard Boscovich: It's interesting because it's one that it's a common law concept that's been on the books for I want to say about 1,000 years. At least 900. And basically we -- whenever you would go on someone's property you'd be you're trespassing on their chattels or you're stealing something from them. So what you do is you analogize the trespass the chattel common law in to our operating system. So something that goes on Microsoft's OS since we own it it's basically property. Right? Or our services without authorization. That gives you a cause of action. So we're able to leverage that as one of the causes of action for this particular case. And we've used it successfully since at least 2010 in multiple different types of malware operations as well.

Sherrod DeGrippo: So you're talking about a physical trespassing law that is hundreds of years old was instrumental in disrupting an info stealer piece of malware today.

Richard Boscovich: Yeah. I mean that's -- I think that's one of the things that the DCU does that we're very proud of is that, you know, sometimes you don't have a specific statute on the civil side to bring the cause of action so you have to be somewhat creative. And we've -- we've been very creative with trespass to chattels, tortious interference with a contractual relationship which is another common law tort, and all of these things. In addition to leveraging RICO. By the way, the movie was "The French Connection." It just occurred to me.

Sherrod DeGrippo: Everyone check that out. Go see "The French Connection" if you want to see some early RICO stuff.

Richard Boscovich: Yeah. That was the basis for it. It was a great movie too. You know so using this cause of action in unique and novel ways to address the types of malware that folks like Derek and the team are able to identify.

Sherrod DeGrippo: So Derek that's a good place to kind of talk with you. Take me behind the scenes a little bit. When did you first identify Lumma? When did you decide it was kind of at that high priority threat level? How does this stuff get in to your pipeline?

Derek Richardson: Sure. Yeah. So Lumma's been out there for a few years and kind of the industry's been aware of Lumma as a growing problem for the last few years. And we started looking seriously at Lumma last summer. So last summer at DCU we decided we're going to disrupt a malware operation. We hadn't decided which one. So we probably had half a dozen candidates and so we talked to folks like Defender and --

Sherrod DeGrippo: Let me ask you. Let me ask you quick. Like so are you sitting there with like the crime malware ecosystem in front of you, like a bulleted list of like, you know, the old days it would be like Emotet and Demodex and Bumblebee, and like you're looking at lists of malware and you're saying, "All right. Who do we want to disrupt?" Who is the top priority here?

Derek Richardson: Yeah. Exactly. Yeah. And so we would --

Sherrod DeGrippo: That is so cool. That is so cool.

Derek Richardson: And so we'd compile these lists working with external partners like BitSight and ESET or some -- we've partnered with them on this operation as well as others. Also internally Defender. Speak to folks from MSTIC. Basically get our consensus of what's really important to you. What's causing the biggest problems out there in the world really? And so we had probably I don't know five or six serious candidates. And after discussing and all sorts of -- with all sorts of folks and stakeholders for a while, we decided on Lumma. We knew it was the world's largest info stealer. And so that was a big part of it. There were some other candidates that we were considering. I won't really get in to those ones. There were different reasons for selecting different ones potentially, but Lumma we knew it was broadly active. It was pretty well known. It'd been pretty well documented by, you know, researchers for quite a while. And so we decided on Lumma I don't know maybe November. And so, you know, it was a pretty quick turn around between deciding yes this is the one we want to go after and then filing the case in May which is maybe six months in. We didn't really get in it operationally until after the holidays. Right? And so we did a really quick turn around on this and so once -- after the holidays we kind of got in to it operationally. That's when we just started reverse engineering the malware. So we had a couple great kind of world class reverse engineers who work with us. So they'll get samples of the Lumma clients, the Lumma actual -- the malware. They'll take it apart. They'll look at it, figure out how it works. And one of the things that the investigators such as myself were really interested in is what's the infrastructure here. So all the infected machines when they get infected with Lumma there needs to be communication between the infected device and some kind of server. Right? What we call a C2 or command and control server. And Lumma being an info stealer one of the main things it wants to tell to the infected host is what to steal. Right? And with Lumma a lot of the stuff it's financial stuff, it's crypto stuff, it's sensitive user information from the browser, really anything of any value to steal. The C2 servers will tell the infected computers, "Hey, this is what we want to steal." And then it would exfiltrate it back to the C2 servers. Right? And so the whole point of these disruption operations is to take down all the C2 servers because if all the C2 servers no longer exist then the infection doesn't really mean anything. Right? Because you've got this info stealer that can steal something, but it doesn't have anywhere to send it. Right? So you protect the current victims as well as future victims from being infected.

Sherrod DeGrippo: Real quickly for our malware analysts out there I'm going to give you a quick run down on some of the features. It can get usernames and passwords from your browser. It can extract login data, cookies, all of your auto fill form entries and browser history. It also targets cryptocurrency wallets looking for online banking information, payment information, any financial services that you're connecting to. And as with most malware that we've seen in this, you know, family, info stealers typically will always send back things like IP address, information about the operating system, what software's installed, processes that are running, IP address, geo location information. But Lumma Stealer specifically was sold as a service and had capabilities that were customizable to the purchaser of that service it sounds like. So it was kind of like a nicely bespoke piece of malware as a service if the customer had something specific they wanted.

Derek Richardson: Yeah. That's a great description.

Sherrod DeGrippo: And I see pricing anywhere from 250 to $20,000. Do you have pricing info?

Derek Richardson: A little bit. Probably not much more than what you have there. So it was sold by the developer to the kind of malware operators in different packages. You got the really kind of the poverty spec one, right, the $250 one.

Sherrod DeGrippo: Poverty spec. That's the Kirkland signature brand of the malware. Sure.

Derek Richardson: Or you can get the, you know -- the fully loaded version for the whatever it is, $20,000, $25,000, which gets you the source code and whatever kind of goodies come with that. But that's just one way that this stuff was operated. Right? So you've got the developer or developers who offer the code or whatever it is and then they sell to the malware operators. Right? And then malware operators deploy it, they run it, and then they're the ones who actually collect, harvest, the credentials. Right? And so those guys are the ones who would then sell the credentials. And they were selling it primarily through automated bots on telegram where they'd sell the credentials through what we call credentials as a service.

Sherrod DeGrippo: Got it. So that's the malware. That's kind of how you checked and prioritized where you wanted to go. You picked Lumma Stealer. So I think, Bosco, how does that connection from Derek and his group saying, "Hey, we want to take some action. Lumma Stealer seems like a big problem." How did you connect together to figure out what the go forward plan is?

Richard Boscovich: Well, I mean as Derek was mentioning, and he kind of went over some of the specs, mentioned kind of the overall organizational structure, hence why we just thought we discussed a RICO Act, but you know how do you get all these individuals that are involved in to one in to a legal action? The thing that we kind of discussed seriously is how expansive the infrastructure was. And remember our legal actions are primarily U.S focused basically. In essence. In other words, we have jurisdiction for all the infrastructure domestically. And I think what Derek located doing his investigation with the rest of the team that a lot of us thought for some time being hosted overseas in places where we just don't have any type of legal jurisdiction or we just didn't have time to file something from a strategic perspective this case was probably the most complex collaborative effort that we've ever done. And what I mean by that is that there was a lot of private sector partners that did a lot of work, folks like ESET and others. A lot of the C2 infrastructure was all proxied so we had to work very closely with the individuals at the company proxy and these are like legitimate companies that want to do the right thing. And so coordinating all of that sometimes involved reaching out to some companies. One of the things you don't want to do when you file some of these legal pleadings, especially when you're dealing with a legitimate company that may be hosting something they're not aware of -- you have to make the decision as to whether you'll reach out to them. And then engage with them and say, "Hey, look. We've got a problem here." And then you have to be prepared. And this is where I kind of turned to Derek and the team. We have to be prepared to demonstrate to this company that, look, unbeknownst to you you're hosting these things. And here's the evidence. Once you do that it's amazing how many of these companies do want to cooperate, and it's great. It's a community effort. So then it's a question of working with them and asking them, "Hey, do you need a legal process to, you know, coordinate with us as we seize these domains with a legal process? Do you need legal process to take action against this?" Sometimes they do, but sometimes they don't. Sometimes they say, "Look. These are violations of our terms of use. You want to coordinate with us so that everything has to happen at the same time, we will." So all those discussions both domestically and internationally really was even more complex than drafting the civil case that we filed. And folks like Derek and others on the team and myself took a lot of time reaching out to these companies as some of them are international companies. So we had to basically explain everything, demonstrate what the harm was, and like I mentioned a lot of them at the end would do the right thing and we were able to coordinate something at a very high level right down to like I'd say -- Derek what? Within like one or two hours I would say during the operation. On the same day across multiple time zones. So if there's one take away from Lumma on the execution side it was that deep collaboration both on the private and public sector and we're really proud of that and it really demonstrated how the main players in the infrastructure across the planet are willing to cooperate if you reach out to them and explain the situation and have the evidence.

Sherrod DeGrippo: So just so I kind of understand, you're saying when you reach out to these companies that are like service providers, platforms, VPN providers, they're being leveraged by the malware to -- they're being leveraged as a piece of infrastructure to allow that malware to operate. And you ask them, "Hey, do you require some kind of legal order to be able to disrupt this -- like to close this account." For example. "Or can you just do it under abuse of your terms of service?" What is the break down usually? Are most organizations saying, "No. No. I've got to get a court order." Are most of them saying, "Oh yeah. We'll terminate an account no problem." Where does that usually fall?

Richard Boscovich: You know, I think it would be 60% they can do it under terms of use and about 40% they want a court order. And there are multiple reasons why and we understand that. And so what you don't want when you file one of these cases, for example if you're a federal judge you're going to issue a bunch of orders to what we call third parties, third parties which are not really the targets of the -- they're not the defendants. So you use something called the All Writs Act which is inherent in the court which is the power of the court to compel a non party to the lawsuit to do something. So the judge has the authority, but we want to make sure that the court knows that it's necessary to use that authority under the All Writs Act. So what we do is we reach out to the legitimate and responsible companies and ask them the question. And if -- and even if they do require an order which will be issued by the court we're very recognizant that every company has a different infrastructure. It depends on how you do things internally. And sometimes there's some technical language that has to be in the order so we just ask them, "Hey, do you need some unique language in the order?" And we work with them on the wording of the proposed order for the court. And the court appreciates it. They appreciate it. And it speeds up the system because what you don't want is that you get an order that's somewhat generic from the court. Even if they're expecting an order the company receives the order because they need it and they say, "Oh my god. We can't use this order because of some technical issue." So we try to get all of this out of the way early on, coordinate with the infrastructure providers, the legitimate ones, so that we either if need an order we have the right language in the order so that all the court has to do is if it accepts the order it executes and signs the order. And if they don't need the order then we simply coordinate on the terms of use, as you mentioned, and then it's a question of Derek and their technical team coordinating on the timing of the execution.

Sherrod DeGrippo: Fantastic. I think that's so interesting that every company has different business processes and different ways that they're reducing risk and different, you know, things that they want to adhere to just for their own processes going forward. So I'm always interested in like what that landscape looks like. I want to talk about the sink holes. So 2,300 domains were seized. How does Microsoft handle that? What do we do? We get 2,300 domain registrations assigned to Microsoft and then how does that work? What does that look like?

Derek Richardson: Sure. So there's a whole chain of things that need to happen. Right? So first we'll have to let either the domain registries or the registrars know that we should take these domains over. Right? Historically we've gotten court orders that will be sent to U.S based domain registries that would say essentially, you know, all these domains got to transfer them to Microsoft from whoever the current registrant is. Give them to Microsoft. Right? With this last operation we also worked with registrars and so we got court orders for registrars and registries that had domains that were these malicious command and control servers. And so we get them delivered to our registrar and so our -- whose DCU information would be on these domain sites. You can go and look them up, all Lumma domains. You could -- you'll see digital crimes unit under Who Is information.

Sherrod DeGrippo: Our listeners absolutely are typing this in to Who Is right now. Seriously they are.

Derek Richardson: You'll see them there.

Sherrod DeGrippo: Yeah.

Derek Richardson: But also we get a fair amount of domains voluntarily from some registries and registrars that we'll work with, we'll partner with. Right? So we won't need to go the court order route. And that's particularly useful if the registry or the registrar is outside the United States in which case a U.S based court order's not going to mean too much to them anyway. So by having these partnerships where these people will volunteer this stuff, these registers, registrars, basically we get a lot more demand and we can sink hole. Right? So once we get these domains in to Mark Monitor who's our registrar, you know, we'll set the name servers. We'll create the DNS records and so forth. So all these domains will start sending all the traffic, the victim traffic really, which would be going to these malicious domains. They'll now be going to our sink hole which is just a server that's collecting all the traffic that's going to these command and control servers. Right? Because now they're pointed to our sink hole. And so the real reason we have this sink hole is so we can collect information to help the victims remediate. Right? So we'll collect things such as the IP addresses of all the victims. Right? And so then we can push that data out to a number of different customers. Right? So say it's a big customer. We can let them know, "Hey, we saw that these IP addresses which are part of your infrastructure are infected with Lumma or whatever the malware is at the time. And then, you know, these organizations can take part to remediate that. But it goes beyond just big organizations. We also push it out to ISPs and so forth. And then ISPs can kind of help remediate the consumer customers.

Sherrod DeGrippo: And I imagine that there's a significant partnership with our Defender research teams who are constantly looking at ways to use that information acting as the sink hole to write better detection capabilities within Defender, and put threat intelligence in to the MSTIC portals and things like that.

Derek Richardson: Yep. All that. So the sink hole is part of what we call the cyber threat intelligence programmer, CTIP as well it. And so we collect all this information through the sink hole and then the CTIP program is what we used as a vehicle to push out this data. But we also push it out to internal customers such as, you know, MSTIC and Defender. The whole Microsoft threat intelligence community can leverage this data in their own analytics.

Sherrod DeGrippo: I love that. And I love that, you know, Microsoft has so many teams working on security. Like there's a lot of us. And I love that we really do try internally to share as much as we can to disrupt threat actor activity. Ultimately, you know, we're really seeing MSTIC or DCU or any of us like our goal is to mitigate global abuse of Microsoft, Microsoft services, and better protect the global footprint of Microsoft. And the little offshoots and tangents that come from that are amazing. Things like this Lumma Stealer really does go back to the mission of, you know, mitigating abuse of Microsoft platforms.

Richard Boscovich: I mean you know Sherrod there's one thing I would like to add. You know, as Derek pointed out, you know, with the CTIP program and the remediation notification, you know, when we started the whole thing most victims don't even know they're victims. Right? That's the whole problem, you know. And that's always been an issue and there's always been attention there in terms of, you know, how fast you move to take down the infrastructure. But ultimately as you mention our job is to protect our customers and actually basically to protect folks on the internet period. And the ability to sink hole this information allows us to identify the victims who don't know they're victims. And then as Derek pointed out work with ISPs, telcos. Relationships are like British -- Deutsche Telekom, AT -- you know, it doesn't make a difference. You know, we know their ASN ranges, their IP ranges. They'll know who these individuals are, who the victims are. You know, we only collect the bare minimum. We don't want to, you know, touch that box in ways that would upset people. So all we need is, "Hey, IP daytime stamp belongs to this ISP." We give it to them. And tell them Lumma. They've got a problem. And they could go ahead and address their issues with their customer. And if we need to support them in terms of cleaning tools we provide it to them. So at the end of the day that is -- you know, that is the objective. Identify those victims and remediate those victims. Again working in a community, working across companies and across the infrastructure which is more and more a big part of everything that we do from an operational perspective at DCU.

Sherrod DeGrippo: I think that's a really good point to call out, you know, the way I sort of say it sometimes sort of in a lighthearted way is that Microsoft has a lot of friends. We've been really good I think at developing relationships analyst to analyst, certainly in MSTIC, but I'm sure in you know the legal side of the house, the general counsels, across multiple organizations and infrastructure providers and public sector. Everyone sort of is really looking to go after the same threat actors which I think in the security industry we all feel that that's our job. That's our number one job is to disrupt threat actor activity. And so, you know, regardless of if we have different names for things or if we approach things differently we all really are going after the same actors. Let me ask you about a public partnership. Europol and Japanese authorities are a big part of this. Can you kind of give an idea? It sounds like when you said U.S based you said that a couple times. We had to go to Europol for some of these take downs as well. How did that work?

Richard Boscovich: Great call out to Europol's EC3. Their EC3 basically is EU countries plus other law enforcement agencies. It's kind of like their one stop shopping. So when we needed to kind of look at this infrastructure and Derek would say, "Look. We have all this stuff on telegram. We have all this stuff on hailing from maybe a registry that comes from a TLD that's based in Europe." I know we don't have legal process there. So working with Europol and their EC3 we were able to coordinate with law enforcement agencies throughout Europe in order to be able to ask them, "Hey, you know, in this situation if you guys have an open case or an interest how could you help us?" And it was amazing that they do have those contacts and they were able to assist us, us providing the technical evidence that Derek and the team would, you know, write up and provide. And they would go and kind of interface with these organizations and kind of emulate what we would do here in the United States the private sector and companies. Like I mentioned, we would go out, talk to them, show them. They would do the same thing but it would be coming from a European law enforcement agency to a particular registry or a particular company that's hosting C2s. And that proved amazingly helpful for us because it again allowed us to go ahead and address infrastructure outside of the United States beyond the court order. Now having said that I do want to put one -- I want to say one quick thing. Many times these legitimate companies even though they're not part of the United States the court orders here have no relationship, it has no power whatsoever, we would provide the order sometimes just to demonstrate to them that, hey, this technical information we're providing to you as evidence that hopefully it will be like an abuse take down a court in the United States found that sufficient and has acted upon it. And that actually helps them triage their abuse so it's not just someone sending an abuse request. Hey, wait a minute. It's coming from Microsoft. They found a federal civil case in the United States with this, and they're providing us the evidence. So it really meets, you know -- and it would meet all their criteria. So that helps them accelerate their process and hopefully accelerate the process by which they're able to take down the infrastructure if it's overseas pursuant to the terms of use and we really can't touch it.

Sherrod DeGrippo: I love all of these legal mechanisms. And I think it's just fascinating because I feel like, you know, there is almost this wild west feel sometimes still to the internet. There certainly was if you're familiar with the term eternal September. I mean I feel like we're in school now. Like it's done. The wild west has kind of been tamed, but the legal side of it has not caught up in a lot of ways. And so I think that's where a lot of the creativity that DCU relies on comes from. I want to understand 400,000 infections. 400,000 instances of Lumma Stealer that we saw. What does that tell you about what the malware ecosystems and the crime ecosystems are doing today? Bosco, you have any thoughts on sort of what we're looking at here since you've been in this game for a long time?

Richard Boscovich: I don't have a crystal ball, but clearly what's been going on I think is you're seeing the whole malware as a service just take off completely. Right? I think that is how deep is this model. It's something that we're seeing more and more of. Back in the day it wasn't like that. You know when we started back, way back from Waledac and all those old old malware operations, it was one guy or Rustock. It was his spam bot. He controlled it. And if you wanted to send spam you'd send it to him and he'll send it to you and he kind of charged you for it. But this whole hey look, you know, I have this little kit I'm going to develop and I'll sell it to you and you can do your own thing versus I mean that seems to be the new thing now full bore where everybody's doing it. And the other thing that's really complicating matters, it's good and bad, is that they're really diversifying their infrastructure tremendously. You know, way back in the day again I use the Rustock example, an operation where all of the infrastructure, literally all of it, was in the United States. And when we executed it we just took the whole thing down. Complete disruption. That's more and more difficult now. Some -- you know you're getting really good disruptive actions, but it's hard to take everything down simultaneously when it's globally located. That's why this operation which is still ongoing in many ways is an indication of an ongoing disruptive action. That's kind of like what we've been doing the past couple of operations. It's an ongoing disruptive action and it takes a lot of collaborators both domestically and internationally to keep on top of this disbursed infrastructure. So that's what they're doing. As a service is the big thing now. Hedging their bets and just spreading their stuff across the ecosystem is the other trend that's been going on now for the past several years. And I think it's going to continue.

Sherrod DeGrippo: I think that's something that we talk about a lot specifically in ransomware is that it is an ecosystem and these kinds of stealers, initial access brokers, credential harvesters, credential sales, those are all part of that ecosystem and it's really hard to take out an ecosystem. It's not the same as disrupting a single threat actor group. It's trying to disrupt this almost like cottage industry of different players who have different layers for sale. I mean that as a double entendre. Different layers. Just trying to make a buck here and there, not really thinking about the overall impact of what it may be. I know, Bosco, with cobalt strike take down, cracked cobalt strike take down, you said that as more cracked cobalt strike was discovered we were able to issue a very simple add on take down for each new one. Is that set up the same with Lumma Stealer?

Richard Boscovich: You know, in a different sort of way the answer is yes. They're all like -- you know I think what the team has developed, you know, the investigative team and legally too, both built in to our pleadings, but also again the collaborative nature both at public and private partners is you have to keep eyes on the threat. If anything pops up there are calls among us set team members that are collaborators and once it's identified everybody moves to go ahead and address it. And this is the new reality for us. Our disruptions are now disruptive actions. It's not a one shot one kill like you mentioned. It's a long term, you know, almost game of attrition where you go and you make it so uncomfortable for them that they just give up. You want to make the cost of doing business for these folks as high as possible. And if you think of it this way from a market perspective let's say you're in a market for an info stealer. And there's several out there. Lumma was the biggest one. Would you want to buy a Lumma one now? Well, no. Why? Because if I'm going to spend money buying something these things are going down like, you know, like, you know, ducks at a circus. They're shooting them down the minute they go up. So chances are you're going to go to another info stealer. And eventually that deterrent impact that we have on Lumma may over time reduce it further just by the fact that people are not going to spend their money and buy it anymore. And you will kill -- that market will kill the product so to speak. And then of course as a group then okay. What's the next target? So all of these things are tactical decisions we make and this prolonged disruptive action based on collaboration I think is the new modus operandi for DCU and for others.

Sherrod DeGrippo: So with that being the new mode going forward do you, Derek and I'll ask this to you both -- do you see more of these coming out of DCU? Is this going to be a, you know, repeatable motion that just keeps looking for high priority threat?

Derek Richardson: Yeah. That's definitely in the works. We're already planning to do at least one similar disruption next fiscal year which you know for Microsoft starts in about 10 days or so. Yeah. So right now over the summer we'll kind of decide what that's going to be just like what we did with Lumma. We'll -- like you said earlier, we'll look at our list of big malware targets that are out there, decide which one's going to have the biggest impact, and not just the biggest impact. What we can actually do something about. Right? When I was talking about it earlier how we decide which things we're going to go after there's impact, but there's also, you know, what can we do about it. If it's infrastructure that's completely outside the U.S like say it's domain based, but it's all, you know, Russian registrars, Russian registries, Russian IPs, that's not going to be a high target for us because there's not a lot we can do about it. Right? So we'll try to find some intersection between high impact and what we can actually do. What impact can we actually make?

Sherrod DeGrippo: You're sending the threat actors running right now hearing that because they're thinking, "I've got to get my infrastructure out of places that Derek and Bosco can potentially impact." Which I think does go back to imposing cost and Bosco laid out a great example or a great way to understand how imposing cost keeps raising that bar, keeps making it harder and harder for -- hopefully for threat actors and operators in the criminal ecosystem to be able to do anything at all. But, you know, this is a tale as old as time. I tell people all the time, you know, crime has always existed. You know, go back thousands of years. Apparently there was a 900 year old law against crime. And espionage has always existed. So our fight against threat actors is not that dissimilar from the same fight that's been happening for thousands of years in human history. We're just using computers or, you know, thinking sand to be able to do that. And I think it's just part of what we do. It's not something that I think necessarily will ever end. It's a process. It's not necessarily a product at the end of it as Bruce Snyder [assumed spelling] says. So any final thoughts you want to wrap up with Bosco? I'll start with you.

Richard Boscovich: Yeah. I mean yeah. I mean looking forward, you know, like I mentioned like cobalt strike this particular operation is an ongoing operation. You know even, you know, when the default judgment comes in which is the official okay the case is technically closed, but that does not mean that we would stop keeping eyes on Lumma if it comes back or if it pops up again just like in cobalt strike. And we're looking at these operations now as a way really to start gauging metrics as to can we clean up U.S infrastructure, critical infrastructure. And I think the answer is yes, and that's one of the things that we're really excited about is, hey, in the case of cobalt strike we saw reductions of U.S based crack cobalt strike drop by 80/90%. And they all go. That is pretty amazing because now they have to go outside of our critical infrastructure and we're seeing I think similar trends on the Lumma side. Now that's great, but eventually how do we do this globally? You know, and that's where that collaborative effort comes in working with Europol. You know. You know, if they run to Europe we want to be sure that we follow them there so we need the right partners both private and public to accomplish that. And in South America and the Asia Pacific region as well. So those are my final thoughts on this. You know it's exciting since like I said it's always changing. Their tactics change and we have to -- we have to keep up and follow what they're doing and innovate both legally and technically.

Derek Richardson: Yeah. I'll build a couple things on what Bosco said and what we were talking about earlier with the kind of the long tail of winding these operations down and increasing the cost on the bad guys. And I'll start with Lumma since that's kind of what we're talking about. So we filed the case -- was it May 15? Something like that. The middle of May. And so we immediately went in to execution meaning taking the things down, seizing the domains, getting the sink hole up and running and so forth. And like you said earlier there were, you know, at one point 2,300 domains. And once we went in to the execution it started going down pretty rapidly. Right? And so after a week it was just a handful of domains. Right? And they were putting up new ones. Like we'd take them down because we'd monitor this stuff and as soon as we see a new one come up we'd reach out to the appropriate partners to get them taken down. And what happened. But the bad guys of course they'd stand new stuff up and we'd take it down. But, you know, as expected, you're not going to want to keep doing this forever. Right? Because if at one point you had 2,000 command and control servers domains, but now you can only get them up for like, you know, 8 hours, 24 hours, at a time it just it's not really worth doing. In fact yesterday I checked to see how many C2s we detected. It was zero. So I expect it will probably go up again, but one of the things we've also seen as the bad guys have tried to adapt is we haven't seen any of these new C2s come up on U.S based infrastructure or basically anywhere outside of Russia. It's all been Russian everything. Russian registries. Russian registrars. And so that just kind of further demonstrates the broader pattern that we've been talking about. Right? The more -- to push the bad guys kind of to the periphery. Right? And we can kind of push that periphery out further and further as we get better partnerships. For instance we've worked with a big Japanese registry on this particular operation. And they had several hundred of these C2 domains on their registry and typically we wouldn't have been able to seize those, do too much about those domains, because it was in Japan. But anyway we developed a new partnership with those guys. They were eager to help us out. And so in future operations we always have to kind of keep the existing partnerships, build on those and get new ones so that, like I said, we can kind of push the bad guys further and further out. And who knows? Maybe one day Russia will be part of that. Right? And Russia won't be a place where the bad guys can hide to. So that's kind of the end goal, the longer term end goal, if we get a wrap in China and Russia. Wherever it is. Right? In to these partnerships. And eventually, you know, push these guys out, you know, as far as possible. Make it as hard as -- hard for them as possible and increase the cost of doing business.

Sherrod DeGrippo: That's great. I love it. So Derek, Bosco, from Microsoft digital crimes unit talking to use about Lumma Stealer take down. Thank you so much for joining me. This is fascinating stuff to me. Love hearing how we're leveraging legal capabilities within Microsoft to make the internet safer.

Richard Boscovich: Thanks for having us.

Derek Richardson: Thanks a lot.

Sherrod DeGrippo: Thanks for listening to the "Microsoft Threat Intelligence Podcast." We'd love to hear from you. Email us with your ideas at tipodcast@microsoft.com. Every episode we'll decode the threat landscape and arm you with the intelligence you need to take on threat actors. Check us out. Msthreatintelpodcast.com for more. And subscribe on your favorite podcast app.

The Microsoft Threat Intelligence Podcast
Podcast Info
HOST(S):
Sherrod DeGrippo
Sherrod DeGrippo, Director of Threat Intelligence Strategy at Microsoft, is a frequently cited threat intelligence expert with a 19-year career leading global threat research and analyst teams. She was named Cybersecurity Woman of the Year in 2022 and Cybersecurity PR Spokesperson of the Year for 2021. Sherrod has provided expert commentary for BBC News, Wall Street Journal, CNN, and New York Times and has presented extensively at conferences including Black Hat, RSA Conference, RMISC, SleuthCon, and others.
Schedule: Bi-Weekly
Credits: Producer is Rob Petrillo, Production Manager is Max Solomon, Scheduling and Administrative Support is Elliot Volkman, and our Audio Engineer (and magician) is none other than The Great Rich Cerbini.
Creator: Microsoft