Honeypot behind sold-off IP subnet shows Cyberbunker biz hosted all kinds of filth, says SANS Institute

Web traffic to the servers of the notorious Dutch-German Cyberbunker hosting biz was filled with all kinds of badness, including apparent botnet command-and-control and denial-of-service traffic, says SANS Institute.

Cyberbunker, aka CB3ROB, was raided last September by 600 German police gunmen who forced entry to the outfit's Traben-Trarbach HQ.

Following the raid, infosec biz SANS was able to set up a honeypot on former Cyberbunker IPs to analyse traffic passing through them – and the results shed light on just what kind of dubious traffic was passing through the servers.

CB3ROB's HQ was located inside a Cold War-era underground military bunker around 60 miles west of Frankfurt. Police boasted at the time of seizing 200 servers as well as CB3ROB's dot-org domain, which for a while after the raid bore a US-style "domain seized" banner.

After the inevitable arrests, CB3ROB's personnel had to sell some of their assets to generate a legal defence fund. Sold-off assets included three IPv4 subnets: 185.103.72.0/22; 185.35.136.0/22; and 91.209.12.0/24. Those were sold to Legaco Networks, which agreed to let SANS' Internet Storm Centre erect a honeypot behind them for one week in April 2020.

Karim Lalji, SANS' community instructor in the Penetration Testing curriculum, recounted in a paper about his findings: "Close to 2,000 unique computer names and over 7,000 unique source IPs that follow a similar request pattern are present in the traffic sample collected." He added that if single computer names were isolated within this traffic, "the intervals between requests were exactly 1min and 30sec – indicating automation and potential C2 [command and control]."

Lalji also observed apparent phishing traffic passing through the honeypot, with impersonated services including the Royal Bank of Canada, Apple, Paypal, Chase Bank and others. He also found traffic that appeared be linking to extreme sex abuse "involving animals", as well as what appeared to have been a criminal-oriented ad network.

His detailed findings included 171,000 TCP retransmissions "with no payload data and different sequence numbers", which Lalji concluded "likely indicates an error in crafted communication or a portion of a reflected Denial of Service (DoS) attack."

The research "explicitly filtered out" likely port-scanning traffic as well as "web directory brute forcing, SQL injection discovery, DNS zone transfer attempts, VoIP scans (primarily with SIPVicious), Telnet, SSH, FTP, and web-form brute force login attempts". Lalji added: "Several of these events can be attributed to internet-wide scans that are not specific to the IP address space under examination." Email traffic was also excluded as prosecutors were potentially interested in it.

CB3ROB's leading lights were charged last year by prosecutors in Rheinland-Pfalz with hosting: a darknet market called Cannabis Road; a drugs, stolen data and malware souk called Wall Street Market; an "underground economy forum" imaginatively named Fraudsters; a Swedish drugs marketplace called Flugsvamp; various clearnet drug-peddling websites; various "fraudulent bitcoin lotteries, darknet marketplaces for narcotics, weapons, counterfeit money, murder orders" and child abuse images; and C2 servers for the Mirai botnet.

Sven Olaf Kamphuis of CB3ROB said in a Facebook post shortly after the bunker raid last year: "ISPs do not need to know who the customer is, ISPs do not need to know what the customer does (and even if they do know, it doesn't make them liable – as long as there is no ACTIVE cooperation in the activity)." ®