Microsoft has teamed up with law enforcement agencies across the globe to disrupt the infrastructure behind one of the world’s most notorious infostealer operations.
Microsoft said that, between March 16 and May 16, it identified over 394,000 Windows computers globally that were infected with Lumma Stealer malware.
A coordinated operation between the tech giant, Europol, Japan’s Cybercrime Control Center (JC3) and operatives in the US then set to work, resulting in the “takedown, suspension, and blocking” of over 2300 domains that formed “the backbone of Lumma’s infrastructure.”
Over 1300 of these domains were redirected to Microsoft sinkholes.
“This will allow Microsoft’s DCU to provide actionable intelligence to continue to harden the security of the company’s services and help protect online users,” said Microsoft.
“These insights will also assist public- and private-sector partners as they continue to track, investigate, and remediate this threat.”
Read more on Lumma: Infostealers Dominate as Lumma Stealer Detections Soar by Almost 400%
The US Department of Justice (DOJ) seized the Lumma control panel, making it difficult for Lumma developers to rent out the infostealer infrastructure on cybercrime marketplaces.
Other cybersecurity and tech firms that joined the operation included Cloudflare, ESET, Bitsight, Lumen and CleanDNS.
Ensar Seker, CISO at SOCRadar, argued that the operation marks a “pivotal moment” in tackling malware-as-a-service platforms, but that ongoing public-private collaboration is essential.
“Such actions not only disrupt the immediate threat but also send a clear message to cybercriminals about the increasing capabilities and resolve of global cybersecurity alliances,” he added.
“However, the resilience of such malware underscores the necessity for continuous vigilance. Lumma’s ability to adapt employing phishing, malvertising, and exploiting trusted platforms highlights the evolving tactics of threat actors.”
Black Duck CISO, Bruce Jenkins, argued that it’s too early to write off Lumma, meaning security teams must remain alert to the threat posed by this and other infostealer variants.
“Cybersecurity leaders must evaluate the effectiveness of their security awareness programs to ensure users remain vigilant – especially against phishing attacks that could trigger similar breaches,” he said.
“This governance should be reinforced with a robust endpoint detection and response (EDR) solution and a comprehensive business resiliency plan, including regular data backups and tested restoration procedures, to further ensure uncompromised trust in software.”
Foundational to Modern Cybercrime
Lumma is one of the most prolific infostealers around, sold as a service since at least 2022.
“Lumma is easy to distribute, difficult to detect, and can be programmed to bypass certain security defenses, making it a go-to tool for cybercriminals and online threat actors, including prolific ransomware actors such as Octo Tempest (Scattered Spider),” said Microsoft.
“The malware impersonates trusted brands, including Microsoft, and is deployed via spear-phishing emails and malvertising, among other vectors.”
Infostealers like Lumma are increasingly foundational to today’s cybercrime supply chain, offering threat actors a steady stream of credentials with which to target and breach sensitive corporate systems.
A new Gigamon study released yesterday found that 55% of organizations suffered a hybrid cloud breach last year, a 17% year-on-year increase. Nearly half of respondents claimed their existing tools weren’t able to spot the breach – a common challenge when hackers use legitimate credentials for access.
Nearly half (47%) of respondents reported a rise in attacks targeting their organization’s large language model (LLM) deployments – a potentially lucrative source of training data which could be stolen or held to ransom.
LLMs are also a target in their own right for data poisoning and other disruptive attacks.
