- Feb 4, 2016
- 2,520
Last Friday, on August 4, a jury in the US found Fabio Gasperini, an Italian citizen, guilty of building a botnet that he used to hijack remote servers and surreptitiously click on ads for his personal profits.
Bleeping Computer reported on Gasperini's arrest and extradition to the US earlier this year, at the end of April. Today, we're circling back to provide an account of the events of how Gasperini built his botnet and how an investigation by Forkbombus Labs led to a criminal complaint filed with the FBI, the botnet's downfall and subsequent arrests.
Crook used Shellshock flaw to take over QNAP NAS devices
This whole story starts in September 2014, after the public disclosure of Shellshock (CVE-2014-6271), a vulnerability in the Unix Bash shell that allowed remote attackers to take over Internet-connected devices running a Bash shell.
Gasperini is one of the many cyber-criminals who jumped on the Shellshock exploitation train after the bug's public disclosure. Unlike others, Gasperini focused his efforts on exploiting Shellshock for a single line of products, which were network attached storage (NAS) devices manufactured by QNAP Systems, Inc., a Taipei-based hardware manufacturer.
Gasperini used automated scans to discover QNAP NAS devices available online via port 80 and deployed the Shellshock vulnerability to run code on the vulnerable device.
An analysis of the malicious code by researchers at Forkbumbus Labs revealed the following capabilities:
● Adding a backdoor administrator user account.
● Creation of a publicly accessible unauthenticated webshell.
● Configuring an SSH daemon on port 26.
● Patching the infected QNAP NAS device for the Shellshock vulnerability, preventing further exploitation.
● Downloading and execution of a Lightaidra IRC Bot.
● Further (worm like) botnet propagation.
● Visiting advertisements in a fraudulent manner meant to emulate legitimate human activity.
A month after the disclosure of the Shellshock vulnerability, QNAP issued a security patch to protect customer devices against exploitation. Nonetheless, this didn't stop Gasperini's botnet from spreading.
According to a report provided to Bleeping Computer by Stu Gorton, co-founder and CTO of Forkbumbus Labs, Gasperini's botnet spread to over 2,500 QNAP NAS devices across 70 countries.
Gasperini made several OpSec mistakes
For starters, some of the domains he used in the botnet's infrastructure were registered to "gaspolo@gmail.com", his personal Gmail address, or used the "Gaspolo" nickname in their makeup.
Gasperini's real name was never used in the domain registration process, but when researchers attempted to reset the attacker's Gmail account password, Google revealed Gasperini's name.
Operation HackinItaly
Following a joint investigation by the FBI, Dutch and Italian police, the Dutch arrested Gasperini in Amsterdam on June 18, 2016, where he moved from Rome, his hometown.
Following a raid, police said they found over €300,000 ($325,000) at his home. Other raids took place in Rome, Reggio Calabria, and Venice, where Gasperini's brother and four accomplices lived. The codename of this operation was HackinItaly.
Authorities also charged the other five with hacking and money laundering, but US officials requested only Gasperini's extradition, which was approved earlier this year in April. Gasperini was indicted and arraigned in a US court on April 21, and a jury trial followed.
Gasperini sentenced to one year in prison
Authorities said they found over €300,000 ($350,000) at his home during the raid that led to his arrest, but they suspect Gasperini made much more than this.
After the guilty verdict from last week, yesterday, on August 9, a US judge sentenced Gasperini to one year in prison, a $100,000 fine, and one year of supervised release following incarceration.