Jeremy Kirk

Microsoft admits to technical error in IP takeover, but No-IP still down

Microsoft admitted it made a technical error after it commandeered part of an Internet service's network in order to shut down a botnet, but the Nevada-based company says its services are still down.

A federal court in Reno granted Microsoft an ex-parte restraining order that allowed it to take control of 22 domains run by No-IP, a DNS (Domain Name Service) provider owned by Vitalwerks, which was served the order.

Microsoft alleged the domains were being abused by cyber criminals to manage and distribute malware.

It was the tenth time Microsoft has turned to the courts to take sweeping action against botnets, or networks of hacked computers. Although No-IP was not accused of wrongdoing, Microsoft maintained the company had not done enough to stop abuse on its networks.

Microsoft's intention by seizing the domains was to block only the computers using No-IP's services that were being used as part of a botnet. But "due to a technical error, however, some customers whose devices were not infected by the malware experienced a temporary loss of service," according to an email statement from David Finn, executive director and associate general counsel of Microsoft's Digital Crimes Unit. He claimed that No-IP's services were restored at 6 a.m. Pacific Time on July 1. No-IP spokeswoman Natalie Goguen wrote via email that Microsoft made a technical change the following day to forward legitimate traffic back to No-IP, but "it didn't do anything."

Public utility compromised after brute-force attack, DHS says

A public utility in the US was compromised after attackers took advantage of a weak password security system, according to a US Department of Homeland Security team that studies cyberattacks against critical infrastructure.

The utility's control system was accessible via Internet-facing hosts and used a simple password system, wrote the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) in a report on incidents covering the first quarter of 2014. The utility, which was not identified, was vulnerable to a brute-force attack, where hackers try different combinations of passwords until the right one is found.

An investigation showed the utility was attacked before.

"It was determined that the systems were likely exposed to numerous security threats, and previous intrusion activity was also identified," ICS-CERT wrote in the report. ICS-CERT warned that it is easy for hackers using search engines such as Google and SHODAN to find Internet-connected control systems "that were not intended to be Internet facing."

The report described a second cyberattack but did not specify what type of organization was affected. In that instance, an Internet-connected control system that operated a mechanical device was accessed by an attacker using a cellular modem. The access has been gained using a SCADA (supervisory control and data acquisition) protocol, the team wrote. "The device was directly Internet accessible and was not protected by a firewall or authentication access controls," ICS-CERT wrote.