DIVD-2024-00019 - Victim Notification Operation Endgame
| Our reference | DIVD-2024-00019 |
| Case lead | Frank Breedijk |
| Author | DIVD CSIRT |
| Researcher(s) | |
| CVE(s) |
|
| Products |
|
| Recommendation | If you received a notification from us, members of your organization or your customers had their password stolen or system infected by a botnet. Detailed recommendations are found below. |
| Status | Open |
| Last modified | 04 Jun 2024 18:04 |
Summary
As part of Operation Endgame, the biggest anti-botnet operation to date. The Dutch Police, in cooperation with policy units form Germany, France, Denmark, the United States and United Kingdom and suppor to Europol and Eurojust have infiltrated a number of botnets, including at least Smokeloader, IcedId, Pikabot, SystemBC and Bumblebee. During this infiltration they obtained data about the victims of these botnets.
This data has been shared with us and various other parties like Have I Been Pwned, Spamhaus, Project No More Leaks, Project Check je Hack, the (Dutch) NCSC, CSIRT-DSP, and Digital Trust Center.
The data we have received consists of the following data sets:
- Email credentials, either SMTP or IMAP credentials
- ADFS credentials consisting of AD-domain and login credentials
- Unlabelled individual (email) account credentials.
What you can do
What you can do depends on who you are and the type of data the police found.To keep this main case page brief, we have created separate pages with recommendations for your situation.
You have received a notification that is only about your personal accounts:
- Click on this link if you have received a notification about your own email account
- Click on this link if you have received a notification about your own ADFS account
- Click on this link if you have received a notification about personal accounts of an unspecified nature
- Click on this link if you have received a notification about personal accounts that have been found in the IcedID botnet
You have received a notification about a number of accounts that belong to your organization:
- Recommendations for organization email accounts
- Recommendations for organization ADFS accounts
- Recommendations for organization accounts of unspecified nature
- Recommendations for organization with systems that connected with the IcedID botnet
What we are doing
We have received the discovered data from the police, and are sending out notification to individuals and organizations that have fallen victim to compromise. To effectively do this, we are in close cooperation with the Dutch National Police as well as the NCSC, CSIRT-DSP and DTC.
Frequently asked questions
General
Q: Is this a scam?
A: It’s great that you’re skeptical. However, this is legit and definitely not a scam. This operation is a collaboration between the Dutch National Police, Europol, Digital Trust Center, NCSC and others. We, Dutch Institute of Vulnerability Disclosure (DIVD), are mentioned in the press releases from the Dutch Police and Europol. The ‘Check je Hack. (translation: Check your Hack) FAQ also mentiones DIVD and shares a link back to this casefile.
Q: Do you have my password?
A:No, we do not have your password. We may have sent you an email containing a partial password, with only the last four characters visible. This is the only part of your password we possess because the Dutch Police ensured that all passwords were hidden before sharing the data with us.
Q: Are you going to go after the criminals who stole my information?
A:No, we are not. That is a matter for law enforcement. As per article 9 of our code of conduct: We analyze online threats, not threat actors. We are researchers and don’t serve the needs of governments or law enforcement.
Q: if you “don’t serve the needs of governments or law enforcement”, why are you cooperating with the Dutch National Police on this case?
A: Acting on this data set is directly in line with article 3 of our code of conduct: Analyze databases with leaked credentials and report to the organizations or people who are compromised to take appropriate measures.
We analyze every database we receive, including those from law enforcement. However, we do this independently, without any obligation or intention to share any specific information in return.
Technical
Q: What is an ADFS account and what can criminals do with it?
A: An ADFS (Active Directory Federation Services) account enables single sign-on for multiple applications. If criminals access it, they can infiltrate corporate systems, cloud services, and email accounts, leading to the theft of sensitive data and potential further attacks within the organization.
Q: Do you know how the Dutch National Police obtained this information?
A: No we don’t know any details, but we know that Operation Endgame contains information from several botnets.
Q: Do you know from which botnet my data was obtained?
A: No, those details were not shared with us.
Legal
Q: You are processing my personal data without my consent, is that legal?
A: Yes it is.Under Dutch law and European privacy regulations, we can process this data based on a so-called “legitimate interest.”DIVD is a private foundation that operates under a strict code of conduct, with the aim to make the digital world safer.
Timeline
| Date | Description |
|---|---|
|
01 Dec 2023- 30 May 2024 |
Period in which credentials were likely actively abused by the threat actors |
| 30 May 2024 | Dutch National Police goes public with Operation Endgame |
|
30 May 2024 ? |
DIVD sends out first notifications |
More information
- Press release on site of Dutch police
- Europol press release
- Article by Troy Hunt of haveibeenpwned
- Operation Endgame website