Lumma Operators Disable IDRAC Tool and Return Access to the Twice-Formatted Servers by Law Enforcement

• Lumma operators left a note on their dark web platform after their domain seizure
• The statement denied having their servers seized in the law enforcement operation
• They allegedly returned access to the servers and mentioned a flaw in the IDRAC tool

Right after Lumma, the world’s largest infostealer darkweb marketplace was disrupted in a global law enforcement effort earlier this week, its operator posted a long statement for its dark web members.

Their first statement after the crackdown read, “Contrary to opinions, rumors, and articles from the FBI itself, they did not seize our server (atleast because it is located in a country where they definitely cannot seize it), but they broke through the server through an unknown exploit and formatted all the disks.”

The statement first released by Alon Gal, Co-Founder & CTO at Hudson Rock, draws suspicion over the use of a zero-day vulnerability that law enforcement exploited to breach the Lumma server.

Boasting about the location of the server, the operators denied the possibility of seizing them. 

While the Lumma operator did not deny that 2,500 domains were seized, and all the disk data was formatted, they claimed they restored functionality and worked on the logging data to find out who breached the cybercrime infrastructure.

During the process of looking for unauthorized requests to the web, the servers were formatted again. Clearly, the law enforcement officials were monitoring the cybercrime infrastructure and deleting new data. They also deleted the backup server.

Reasoning about the initial access and attack on the threat actors’ domain, the Lumma stealer operator added, “We found out that the control was most likely obtained through some internal vulnerability in IDRAC, how they got access to it, because it is atleast located in a completely different network - we still do not know.”

The attackers are trying to learn how their servers and backups were impacted by the law enforcement. They believe that authorities used phishing techniques to create a login page that closely resembled the real one and traced the IP addresses of Lumma’s clients. Otherwise, getting the IP addresses was impossible, they reiterated.

Moreover, cybercriminals unknowingly allowed access to their webcam, which was surveilled by authorities. 

Finally, the note read that access to their servers has been regained and IDRAC has been disabled. They will return with more statements, keeping the police actions in view.

Alon Gal detailed that IDRAC is a ‘niche’ tool in Dell servers that lets admins control them remotely even if their main system is off. 

Researchers also found that new Lumma stealer panel domains have surfaced after the law enforcement campaign.