Microsofts Seizure Of No-IP Domains Disrupted Criminals & Innocents Alike

Microsoft successfully disrupted roughly one-quarter of the APT actors Kaspersky monitors, but took down millions of innocent hostnames too.

UPDATE:
As of Thursday afternoon, all seized domains are now
back in the possession of No-IP
. Original story:
Researchers at Kaspersky say that Microsofts takeover of 22 No-IP dynamic DNS servers hit the Syrian Electronic Army and other cybercrime groups hard, but it also disrupted innocent users business in the process. Microsoft says the trouble is resolved. No-IP says it isnt. An apparently-unrelated DDoS attack on the No-IP.com website hit Tuesday, adding to the trouble.
Last month the US District Court of Nevada
granted
the Microsoft Digital Crimes Unit authority to seize control of the domains as part of an effort to cease or disrupt the operations of several major criminal groups that use No-IP domains. As Richard Domingues Boscovich, assistant general counsel of Microsofts Digital Crimes Unit,
explained
, Our research revealed that out of all Dynamic DNS providers, No-IP domains are used 93 percent of the time for Bladabindi-Jenxcus infections, which are the most prevalent among the 245 different types of malware currently exploiting No-IP domains.
Monday, Microsoft seized control of the domains, but due to a technical error, legitimate No-IP customers who were not associated with malicious activity were also denied service. According to No-IP, Millions of hostnames have gone dark and millions of our users have been put out of service.
Microsoft acknowledged the mistake in a statement Tuesday from David Finn, executive director and associate general counsel for the Digital Crimes Unit. He said:

Yesterday [Monday] morning, Microsoft took steps to disrupt a cyber-attack that surreptitiously installed malware on millions of devices without their owners’ knowledge through the abuse of No-IP, an Internet solutions service. Due to a technical error, however, some customers whose devices were not infected by the malware experienced a temporary loss of service. As of 6 a.m. Pacific time today [Tuesday], all service was restored. We regret any inconvenience these customers experienced.

Yet later Tuesday No-IP tweeted that it was still receiving complaints from customers whose sites were down.
Meanwhile, the No-IP website was brought down by a DDoS attack. The company
informed
customers of the attack via Twitter midday Tuesday, and
followed up
, stating, Please note the DDOS attack was only directed at our website, not to our DNS infrastructure.
Wednesday afternoon the company
tweeted
that some hostnames were starting to resolve again and released
a message
from CEO Dan Durrer, which stated:

We have been throwing everything we have at getting you back online with the least possible delay. For legal reasons, we have been restricted from reaching out to you, but we simply cannot stay quiet any longer. We are very close to a resolution and we will update you with more information as soon as we can.

Many voices in the security community have come out in protest of the actions taken by Microsoft and the court, stating that they are heavy-handed and set a dangerous precedent that could allow private companies to take control of another companys IT infrastructure whenever they decide it is beneath their own standards of quality.
Those criticisms notwithstanding, the shutdown has achieved its aim,
according to
Kaspersky Labs Costin Raiu. In a blog post Tuesday, he stated: Based on our statistics, the shutdown has affected in some form at least 25% of the [advanced persistent threat (APT)] groups we are tracking.

In addition to Bladabindi and Jenxcus, which he said have been used by multiple hacktivist and criminal groups, including the Syrian Electronic Army, Raiu said that Microsofts actions disrupted a number of other APTs operations, including Flame and Snake.
We think [Mondays] events have dealt a major blow to many cybercriminal and APT operations around the world, said Raiu. In the future, we can assume these groups will be more careful on using Dynamic DNS providers and rely more often on hacked websites and direct IP addresses to manage their C&C infrastructure
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Microsofts Seizure Of No-IP Domains Disrupted Criminals & Innocents Alike