Recommended
More Related Content
What's hot
What's hot (20)
Similar to The Cybercriminal Underground: Understanding and categorising criminal marketplace activity
Similar to The Cybercriminal Underground: Understanding and categorising criminal marketplace activity (20)
Recently uploaded
Recently uploaded (20)
The Cybercriminal Underground: Understanding and categorising criminal marketplace activity
- 1. “Play the man, not the malware” The Cybercriminal Underground Understanding and categorising criminal marketplace activity
- 2. ● Token Australian at Intel 471 but haven’t lived in AU for 5+ yrs ● CEO and Founder of Intel 471 ● Previously Chief Researcher at iSIGHT Partners (FireEye) ● Previously Technical Specialist at Australian Federal Police ● Over a decade of researching and tracking top tier cyber threat actors across both government and the commercial space 2 About Me
- 3. ● Understand how cybercrime works by viewing it through a business lens ● Establish a common vocabulary ● Conceptualise cybercrime and all related aspects ● Show how you can map out, organise, and visualise the underground ● Remove marketing from the intelligence equation ○ “Deep and dark web” is a lame marketing term 3 Objectives
- 4. ● Your own attack surface ← #1 way to observe as it relates to you ● The attack surface of other people like you (sharing) ● Technical collection (botnet/campaign tracking and emulation) ● Actor communications (the underground) 4 Observing the adversary R E A C T I V E P R O A C T I V E --------------------------------THE PERIMETER--------------------------------
- 5. ● Vast majority of threat actors there are financially motivated ● Includes criminal forums, marketplaces and places where actors can be engaged ○ “Adversary space” ● Nation states/espionage actors are in the underground but operate quietly 5 What is the cybercriminal underground?
- 6. ● Criminal forums/marketplaces that anyone can register for ○ Alphabay (dead), Silkroad (dead), Dreammarket etc ● Vetted/invite only forums and marketplaces ● Information obtainable only via direct communication with cybercriminals 6 What does the underground look like from our perspective?
- 7. ● Making money is the goal ● The marketplace exists so that actors can buy, sell, and talk about buying/selling ● Reputations and brands are built over years ● Fortune 500 CEOs would be impressed ● Understand the business models, processes, and pain-points 7 Viewing cybercrime through a business lens
- 8. ● Decentralised and grouped by specialisation ○ Not often structured like traditional organised crime (hierarchical, culture of trust) ● Examples: ○ Gameover/Jabber Zeus ○ “Carbanak” 8 Typical structure of cybercriminals
- 10. ● Financially motivated cybercrime is primarily facilitated by the underground marketplace comprised of actors that buy, sell and talk about products, services, and goods 10 Underground Marketplace - Organisation Cybercrime Products GoodsServices
- 11. A thing that has been refined for sale 11 Underground Marketplace - Organisation Cybercrime Products GoodsServices
- 12. A thing that has been refined for sale 12 Underground Marketplace - Organisation Cybercrime Products GoodsServices Organised system that provides accomodation required by the underground
- 13. A thing that has been refined for sale 13 Underground Marketplace - Organisation Cybercrime Products GoodsServices Organised system that provides accomodation required by the underground Illicit digital merchandise, wares, or commodities usually sold in bulk
- 14. 14 Underground Marketplace - Organisation Tier 1 ● Least number of actors ● Most significant actors ● Biggest victim impact
- 15. Underground Marketplace - Tier 1 Cybercrime Products GoodsServices Tier 1 Tier 1 Tier 1 Tier 1 products, services, and goods are core elements and key enablers of financially motivated cybercrime activity. They form the basis for what we consider “financially motivated cybercrime”
- 16. Underground Marketplace - Tier 1 Cybercrime Products GoodsServices Tier 1 Tier 1 Tier 1 - Malware - Banking Trojans - Malware - Ransomware - Malware - Loaders - Account checking tools - Webinjects, ATS, Grabbers - Bulletproof Hosting - Ransomware-as-a-service - Malware Installs - Traffic - Spam - Exploit Kits - Cashout, Exchangers - CC dumps / dump shops - Database dumps - Account credentials
- 17. Underground Marketplace - Tier 2 Cybercrime Products GoodsServices Tier 2 products, services, and goods are those periphery elements of financially motivated cybercrime Tier 1 Tier 2 Tier 1 Tier 2 Tier 1 Tier 2
- 18. Underground Marketplace - Tier 2 Cybercrime Products GoodsServices Tier 1 Tier 2 Tier 1 Tier 2 Tier 1 Tier 2 - Scam/phishing pages - One-off compromised accesses - Malware - Cryptocurrency miners - Call services - Travel Services - SMS Spamming - Gift cards / codes
- 19. Underground Marketplace - Tier 3 Cybercrime Products GoodsServices Tier 1 Tier 2 Tier 3 Tier 1 Tier 2 Tier 3 Tier 1 Tier 2 Tier 3 Tier 3 products, services, and goods are those tertiary elements of financially motivated cybercrime that have limited impact on their own
- 21. ● Used by cybercriminals to host malicious things and not have them taken down 21 Introduction to Bulletproof Hosting (BPH)
- 22. 22 Categories of hosting infrastructure Good Abused Bulletproof
- 23. ● Key enabler for huge amounts of cybercrime ○ Malware C&C, phishing, exploit kits etc ● Spend lots of resources tracking the malware and exploit kit IOCs (after they are used) = lots of resources ● Track bulletproof hosters = Proactive, timely and less resources required ● Only 8-10 tier 1 bulletproof hosters in the underground 23 Putting it into practise - Bulletproof Hosting (BPH)
- 24. ● RFI received from a customer ● Identified a Hancitor malspam campaign detected at their perimeter ● Provided IOCs and other info (domain WHOIS info, etc) related to the campaign ● The ask: ○ Provide information about “WHO” (Infrastructures, Groups, Individuals, etc) ○ Highlight any TTPs associated with the threat actors and their activity 24 Real case study
- 25. Visualise the flow of what happened ! Phishing email sent from fedex@wowgreatshop.com palmbeachmarinecontractor.com palmbeachstrykers.com cleanairexperts.com palmbeachautomotive.com gonegreensupply.com 1 Victims click on malicious URLs 2
- 26. Visualise the flow of what happened Malicious Word doc drops Hancitor Hancitor makes C2 call to domains for trojans kedmolorop.com tttconstruction.co.za thettertrefbab.ru 3 4
- 27. Visualise the flow of what happened Trojans (Pony, Evil Pony, Zloader, Gozi- ISFB, etc) make C2 call for extra malware or functionality pahattitbut.com Infection on device & positioned for data extraction 5 6
- 28. Patterns across a dozen Hancitor campaigns Malspam Campaign wowgreatshop.com palmbeachautomotive.com palmbeachstrykers.com kedmolorop.com tttconstruction.co.za pahattitbut.com Spoofed sender domain Phishing urls Hancitor C2 Pony C2 EvilPony C2 Zloader C2 BPH 1 Tier 1 BPH service BPH 2 Dedicated small time BPH and abused hosters
- 29. ● Get upstream and monitor/track infrastructure providers to be proactive against many different threats ● Track BPH services to identify infrastructure before the bad guys are using it for badness - pre-IOCs (our marketing gimmick term) ● Understand the business models and processes to identify proactive and more impactful courses of action 29 End result of bulletproof hosting tracking
- 30. ● Have been tracking the actor Alex for over a year ● The IP addresses on the previous slide tied to his bulletproof hosting infrastructure 30 Alex
- 31. 31 Who are Alex’s clients? MALWARE PHISHING CERBER, LOCKY/OSIRIS SAGE YAKES RAZY BARYS KOVTER DRIDEX HANCITOR NEMUCOD PANDA BANKER (ZEUS) NYMAIM ZUSY SYMMI/GRAFTOR GAFGYT (LINUX) MARCHER (ANDROID) VALYRIA PONY/FAREIT MIRAI and more GLOBAL BANKS AMAZON CDN PROVIDERS YANDEX MICROSOFT LOCAL UK GOV CROWN PROSECUTION HILTON Google and whole lot more EXPLOITATION OF CVE-2017-0199 DRUG SHOPS CYBERCRIME FORUMS DUMP SHOPS CASINOS PIRATING/FILE SHARING RANSOMWARE MALWARE PHISHING OTHER
- 33. ● Visualize the underground marketplace in terms of products, services, and goods (and consumers) ● Organize products, services, and goods in terms of their significance by Tier 1-3 ● Understand that cybercrime is a collection of systems, processes, actors, and groups working very similar to how businesses work to make money ● Realize that it’s possible to map out the marketplace and identify that small amount of actors that do the most damage 33 Conclusions
Editor's Notes
- At the top is things directly relevant to you At the top is being the most reactive - like doing a boxing match with your hands tied by your back At the bottom is being the most proactive Ultimately cyber threat intelligence is threat focused meaning threat is a person with an intent, goal, motivation and TTPs (malware isn’t a threat, the person using it against you or your customers is)
- Fortune 500 CEOs would be impressed Marketing Productization / Commoditization Impressive returns on investment Longevity in a semi-permissive environment Sophistication Understand the business models, processes, and pain-points Provides a fuller understanding of the threat from a macro to micro view Help Identify realistic and most impactful courses of action
- Gameover Zeus Slavik sold Zeus on a buy in amount of $ plus a % of every transaction that went through it The actors who bought this service used a third party service for the management and recruiting of mules which cost a % of the $ Carbanak Horrible name to describe this activity as Carbanak is a combination of the words Carberp and Anunak which are separate trojans Some actors who have used Anunak have also used Carberp alongside other trojans/tools like Money Maker Banker Bot, Smoke Loader etc Not a good idea to name a group after the malware they have used especially when said malware is used by multiple actors
- Of the 17M actors in the underground, probably less than 2,500 actually are doing most of the real damage Of the 17M you have lots of duplicates, researchers, LE, skids, and scammers too There’s a good bit of effort up front to do this, but it’s a bell curve basically Once completed efforts are focused on the threat actors that matter for most impact and valuable intelligence collection You build an intimate knowledge of the underground marketplace that new actors are quickly noticed, actors that are assuming other’s identities are easily sniffed out, legitimate and scammers are easily identified, etc. In the end this provides true intelligence value to the teams you can support
- This marketplace facilitates actors involved with buying, selling, or talking about products, services and good A lot of analysts don’t realize that if you listen to what the criminals say they’ll tell you some interesting stuff...of course criminals are lying scum as well so we need to assess the info appropriately. This ability comes with time. Examples: Malware authors announce new releases and functionality BPH providers provide descriptions of their services Actor’s complain about others You can elicit information from actors (HUMINT/engagements) We can divide the underground marketplace up into 3 primary areas Products, Services, and Goods...these are all business terms for the most part
- Products are basically just stuff that you can buy Actor’s have productized this stuff into a solid product The market is the judge
- Services play an enabling role in cybercrime These folks are the hidden hand of cybercrime As is expected, service providers interact with more cybercriminals than any other Easy to quantify impact a product or good, but very hard to quantify the impact of services
- This is your bulk data that’s often advertised in the marketplace, but sold in custom shops
- Before we get into some examples I want to organize the marketplace 1 step further Think of “Tiers” as a measure of significance some product, service, or good plays in the cybercrime ecosystem 1 - most significant, 3- least significant Tier 1 is the top tier actors Tier 1 is often the most sophisticated and mature in a business sense Impacting Tier 1 has more of a downstream effect on the entire model essentially making things harder or even impossible
- Most impact can be realized when you affect key enabling services Tend to involve more sophisticated actors and business models/setups - front companies, large amounts of money, etc This is usually where your Top tier and most impactful actors like to hang out
- Now we start mapping in the actors and making sense of things Our job starts to get much easier as we build that clarity on the “who’s who” We can even categorize the actor’s in terms of significance within their respective area/specialty, but we’ll leave that for another day
- Lastly we start to target the actor’s specifically to answer key questions and fill gaps in knowledge This is where we really start to understand the business models, processes, and identify pain-points where max impact can be realized Yalishanda is a Russian actor who spends his time between Russia and China and is a tier 1 bulletproof hoster Huge amounts of badness has been hosted by him including ransomware (cerber, locky), malware (dridex, Panda banker, Pony, Mirai and more), phishing (banks, CDNs, retail companies) and other things like exploits, drug shops, cybercrime forums, CC dump shops etc