Two forces come together with the joint goal of improving the safety of the online world
The Shadowserver Foundation might be the most important cybersecurity defenders that you may have never heard of before. The non-profit organization was started in 2004 with the goal of bringing to light emerging threats to the internet.
They work behind the scenes to make the internet safer for everyone, scanning for vulnerabilities, running honeypots to catch criminals, doing malware analysis, and cooperating with law enforcement and other groups. Avast is one of the organizations collaborating with Shadowserver, sharing threat intelligence that the organization can share with law enforcement, national CERTs, and businesses.
Richard Perlotto, the director and founder of Shadowserver, told Avast Chief Information Security Officer (CISO) Jaya Baloo in a recent virtual sit-down that it’s becoming increasingly difficult to differentiate who’s who in cybercrime.
“You can see state-sponsored stuff hiding as activism,” Perlotto says. “You can see criminal behavior hiding as other things. Attributing it and differentiating it is nearly impossible these days. It all feels and smells the same to us.”
Another increasingly common methodology that Perlotto has noticed is cybercriminal groups creating platforms from which multiple cybercrimes can be purchased. It’s “cybercrime as a service.”
“Historically, criminal groups have operated and developed their own malware and exploited it themselves,” Perlotto says. “Now we’re seeing a much more organized approach where crime platforms are developed and maintained by highly agile developer groups and then sold as affiliates to groups around the globe. And that includes state sponsored and activism groups.”
One example of this new type of criminal business model is Avalanche, which the U.S. Department of Justice describes as “a complex and sophisticated network of computer servers” that “allegedly hosted more than two dozen of the world’s most pernicious types of malicious software and several money laundering campaigns.”
Perlotto tells Baloo that Shadowserver was brought in halfway through the multinational, multi-agency, three-year-long investigation that ultimately brought down Avalanche. His organization was able to set sinkholes — which involves redirecting traffic from victims’ computers to servers owned by the organization instead of those owned by the criminals — which ultimately led to the takedown of around 800,000 infected domains in the Avalanche network.
As “one of the larger cybercrime as a service platforms,” Avalanche was designed to manage and control over 20 malware strains, including banking trojans, ransomware, and Android malware, Perlotto says. He estimates the botnet was responsible for hundreds of millions of losses globally.
“Cybercrime as a service is much like we have software as a service or cloud storage as a service,” Perlotto says. “We’re seeing criminals adapt many of the same kinds of concepts that we’re using for business, for their business.”
While Shadowserver is open about their work on Avalanche, they only talk about missions after they’ve been made public by law enforcement. Perlotto says that just a small portion of what they do is ever revealed to the public or posted on their site and that they don’t like to “toot our own horn.”
When asked by Baloo what the biggest cyberthreats are right now, Perlotto points to the increasing popularity of ransomware.
“We see it continue to grow,” he says. “It’s been that way for the past 20 years and it's all accelerating. Ransomware is fairly easy — you can do data exfiltration and now you can also do shaming by contacting news organizations and saying, ‘This hospital can no longer conduct business.’”
However, Perlotto says, there’s more to be concerned about if you or your organization is a victim of ransomware.
“Many times the ransomware is the secondary infection, delivered by something else,” Perlotto says. “The ransomware has breached the perimeter through that mechanism and the ransomware is just the symptom that you see right now.”
But while Shadowserver has been quietly doing undeniably important work in the background for more than a quarter century, their future looked uncertain in 2020. After 15 years of being sponsored by one individual who footed all the bills, the organization is trying to figure out how to move forward. Perlotto says that their next move involves transitioning from a “black box” structure to one that includes a board, working groups, and inviting the community into their work.
“We want to be symbiotic to the industry, not parasitic,” Perlotto says. “We want to make sure that we’re adding value to not only the consumers, but also to the industry itself, while not breaking the basis of our mission and what we call our morals and ethics.”
With that in mind, Avast donated half a million dollars to Shadowserver this year with the hopes of supporting their work for years to come. Individuals who want to become cyber defenders themselves can also donate to Shadowserver directly, with either one-time gifts or recurring donations.
The complete interview can be found in the video below.