Hello, welcome to the Wednesday, June 24th, 2020 edition of the Sandsenert Storm Center's Stormcast. My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

Well, today we got an interesting diary thanks to one of our Sands EDU graduate students, Karim, he rode up traffic going to the Cyberbunker

Network.

Now I'm planning on having him on the show on Friday, but a little bit ahead of that

about what he found.

First of all, Cyberunker is, is well about as real of a bulletproof

hosting provider as there was in that cyber bunker operated out of an actual nuclear bunker.

They purchased that in Germany was one of the leftover Cold War NATO bunkers that they moved their servers into,

and well they hosted a number of criminal websites and the like out of that bunker.

Now late last year around September, the entire operation was raided, and at the time, of course, the servers were dismantled,

but we now got a chance to actually have the IP address space that CyberBunker used

assigned to one of our Honeypots. So based on the traffic that our Honeypots received,

we were able to kind of deduct a little bit how

cyber bunker operated.

Cyper bunker didn't necessarily run these different websites themselves.

They sort of operated like a co-location hosting provider.

What I found interesting was, well, first of all, there were still a couple of botnets reaching out to what appear to be command control servers that were co-located with Cyberunker.

But almost more interesting, I found ad traffic that would point back to various websites within Cyberpunker.

So these ads as part of the links pointing to the cyberpunker websites,

which of course were now defunct, we didn't have the content of the sites,

but keywords added to these referral links kind of told us what these websites were about. Now, the particular

ad network being used here, get my ads.com appears to be also a little bit shade in the sense

...