Join Us!

Client being extort...
 
Notifications
Clear all

Client being extorted to pay bitcoin or database released  

  RSS
cybertend
(@cybertend)
New Member

New to this site and forum…howdy from Texas all.

I am doing DFIR work for a very large global client.
I have been working on touchy issues like this for years with them and they are very happy with me so they tend to ask questions outside of DFIR for guidance on occasion.

Today was such an occasion..here are the details and what I have directed them to do thus far.
This is a bit out of scope for DFIR, but thought that folks here would have some thoughts….

_______
Client called and stated an entity called "Thug Life" sent an anon email stating if they dont pay X in bitcoin they would release Y database. A sample of the database was provided so it is believed that this is legitimate threat.

Client wants to see if they can identify "Thug Life"

My direct response
(for brevity "Thug Life" == TL, direct communications to client will be noted by a ->)

-> Do the usual, provide a copy of the email, headers and such. I am doubtful anything here will be of value if TL practiced basic opsec.

-> TL is very generic so it will be difficult to hit any groups directly associated with the TL that contacted you.

This could be an inside job so I relayed
-> Add new string/strings in your IDS and/or SIEM to match on key terms/words associated with the email hosting provider, dbase terms and usage of TOR.
This would absolutely be fruitful if tracked to an internal employee.

To search web/darkweb for TL (all of these are risky options IMHO)
-> Search pastebin.com for your company name, terms in the database and anything else that would be relevant.
-> Search darkweb market sites for this dbase for sale…this is very risky of course and could tip off the evildoer.
I gave the client instructions on how to set-up an anon email with protonmail and how to access a hiddenwiki of market sites.
Even if they found the TL they are looking for, what are they going to do about it if an external entity.
________

Thanks and I am sure this will be a lively discussion.

Quote
Posted : 24/01/2020 7:32 pm
keydet89
(@keydet89)
Community Legend

First off, I don't think that this is particularly out of scope for DFIR, as I worked a case very similar to this back before there was bitcoin. 😉

So, the company is relatively sure that the sample that the bad guy provided is legit…that's a start.

Based on the sample, do they have a time frame on which to place this event? From there, perhaps a review of available data (logs, etc.) might reveal how the data was exposed, and help determine if this was likely an inside job, or the result of a breach.

Something for the company to consider is, how much effort do they have to expend, and of that, how much do they want to put into finding "TL"? The reason I ask is, has the company stated the end game in their mind? Is it prosecution? If so, the breach itself could then become part of the public record. I know that law enforcement (in the US) has worked to keep company names out of suits that are filed, but once in court, there's little to prevent the defense from making the company name public.

As resources are usually limited, my suggestion would be that the company pursue determining how the data was exposed, and from then proceed from there.

ReplyQuote
Posted : 24/01/2020 9:21 pm
cybertend
(@cybertend)
New Member

Thanks for the nice reply keydet89. Makes sense to put the focus on how the data was obtained in the first place rather than focusing on trying to identify "TL" in the wild.

ReplyQuote
Posted : 24/01/2020 9:59 pm
rbm411
(@rbm411)
New Member

I tripped across Thug Life twice this summer while investigating separate ransomware incidents. The incident started by dropping a jscript file in the Outlook and Word startup directories. It then converted all files on mapped drives to .json files. It didn't touch local files.

They didn't leave a note anywhere. I was only allowed to investigate the PC so I don't know how it got in, however, it didn't appear to come from an email or attachment.

ReplyQuote
Posted : 27/01/2020 8:23 pm
Rich2005
(@rich2005)
Active Member

As resources are usually limited, my suggestion would be that the company pursue determining how the data was exposed, and from then proceed from there.

That's definitely got to be the course of action….as it's always going to be hard to be certain you're not still compromised (in one or more ways)….much more so if you don't know how you were compromised in the first place! After all, if the hole isn't plugged, the same thing could happen again (whether by the same person or someone else).
On top of trying to "plug the hole" or remove any remaining threat, it's probably a good idea to see if you can work out whether that's the only thing that was taken, as it's not guaranteed that database isn't just the thin end of the wedge.
(the previous post by rbm411 certainly lends weight to the likelihood it's a breach)

Regardless of the future action the big company takes, I think it would be irresponsible of them to not, at the bare minimum, seek to try to identify
1) How they got in
2) Is any threat still present
3) Are they still vulnerable to the method of entry
4) What data was accessed/taken (rather than just assuming it's solely the database being ransomed)
and later
5) Review whether their security is sufficient both to prevent intrusions as well as to facilitate their investigation quickly/easily

Not only for their own benefit but because I assume they likely have personal/client/employee data somewhere on their systems (and all the business/legal implications of that).

ReplyQuote
Posted : 28/01/2020 10:50 am
cybertend
(@cybertend)
New Member

Thanks so much everyone for all the reply's and great suggestions.
rbm411 this is very very good intel from you and I am going to pass this on to them.

My contact did say they have determined how Thug Life got in and that the issue is fixed.
I did't ask, of course, and my contact did not disclose any TTP's.

***I can start a totally different thread for this next one thrown at me if that is appropriate moderators***

My contact did say the C-Levels are concerned enough that the CIO there instructed the security team to "monitor the dark web" for their company name or other indicators that point to a legitimate or planned attack/breach.

Unable and unequipped to do this internally, they contacted one of the large accounting firms and got a quote of $20,000 for one month of "Dark Web" monitoring.
To me, and my contact, this is somewhat of a challenge as
a) How exactly are you going to monitor the dark web.
b) Even if you find some indicators, what are you going to do about it.

BUT my contact said look, if you can put together a quote/proposal to do the same thing for say $8,000 I will give you the contract. Now they have my attention as I am a small 2 man shop trying to put two kiddos through college ).

My plan is this
a) monitor pastebin sites.
b) join several of the dark web markets and search for any databases for sale.
c) ?

This may be out of the scope/inappropriate for this site, but does anyone have any thoughts?
I was going to search through this site and forums for previous recommendations.
explore what Experian states they do for their offering of "dark web monitoring"
Look into github for any tools.

I would appreciate any suggestions and I would be happy to send a box o steaks from Texas for some good suggestions that actually work ).

ReplyQuote
Posted : 30/01/2020 10:56 pm
keydet89
(@keydet89)
Community Legend

I tripped across Thug Life twice this summer while investigating separate ransomware incidents. The incident started by dropping a jscript file in the Outlook and Word startup directories.

Can you elaborate a bit and provide the directory paths?

Thanks.

ReplyQuote
Posted : 30/01/2020 11:30 pm
Rich2005
(@rich2005)
Active Member

Unable and unequipped to do this internally, they contacted one of the large accounting firms and got a quote of $20,000 for one month of "Dark Web" monitoring.
To me, and my contact, this is somewhat laughable as
a) How exactly are you going to monitor the dark web.
b) Even if you find some indicators, what are you going to do about it.

BUT my contact said look, if you can put together a quote/proposal to do the same thing for say $8,000 I will give you the contract. Now they have my attention as I am a small 2 man shop trying to put two kiddos through college ).

My plan is this
a) monitor pastebin sites.
b) join several of the dark web markets and search for any databases for sale.
c) ?

This may be out of the scope/inappropriate for this site, but does anyone have any thoughts?

It's impossible to know how good (or not) the competitor is without knowing their processes.
It might be something you could easily do yourself but it also might be something impossible to replicate quickly.
Firstly you have the issue of knowing all the places on the "dark web" (I hate that term) to look at. By their very nature, that's impossible. Therefore anyone (or any company) seeking to monitor the dark web would have to initially (and likely on an ever-growing basis) identify areas to monitor (whether a website or some other communication/file-transfer setup). Even if identified, many of these "areas" may not be public and require authorisation to access, payment, vetting (initial and/or on-going, to build up a history).
Essentially doing it properly would be a difficult and labour-intensive on-going covert investigation, likely requiring both technical and investigative skill to be good at it. There might perhaps be some kind of automated methods to assist in the identification of areas to look at, or monitoring of unguarded areas, but that would just be the thin end of the wedge.
Of course your client may not know any of that, and their competitor might also be poor, however the truth of the matter is it's a difficult task to accomplish, and best done by an investigator that does this (and has been doing it) for a long time, and ideally a team of them, due to the scale of the essentially impossible task.

ReplyQuote
Posted : 31/01/2020 8:23 am
jaclaz
(@jaclaz)
Community Legend

Personally, I would call that finding a needle in the haystack, and, as you say, once (if) you find it, what are you gonna do with that info?

If the (relevant) data has already being exfiltrated there is no way on earth to stop them to be sold/exchanged, so that is anyway a dead end.

The monitoring might be a proactive way to see if there are signs of related activity, or explicited plans for new intrusions, but I doubt that they can be found before they are put into practice.

The only use I can see of this monitoring would be checking if there is anything not related to the specific company, but about the tools/infrastructure the company uses (unless they are somehow proprietary/custom).

I mean, I don't think likely that anyone will post something *like*
"Hey peeps, I have this nice exploit/credentials/whatever to penetrate company xyz's site/cloud/whatever anyone wants to buy it for a mere bitcoins/fantacoins/whatever."

While, if they post something more *like*
"Hey peeps, I have here a nice database I got from company xyz, any taker?"
it is already too late.

Still personally I would invest those 20 K bucks (or more) in penetration testing, which of course gives as well no guarantees of any tangible result, but that may identify one or more possible weak points in the setup.

This said, maybe OSINT tools *like* spiderfoot
https://www.spiderfoot.net/
https://github.com/smicallef/spiderfoot
may provide some insight ? .

jaclaz

ReplyQuote
Posted : 31/01/2020 9:01 am
Bunnysniper
(@bunnysniper)
Active Member

Some of my thoughts here since I am doing IR myself

- it is necessary to check if "Thug Life" has backdoored any other system and if they moved laterally. If in doubt, a proactive Threat Hunt would make sense here and not only a pentest
- threat actors of this kind WILL paste the data if they dont get paid, and they prefer Pastebin for that
- if you pay once, you will pay twice. So do not pay at all and accept the punishment of a public shitstorm for violating security best-practices
- your client has to face the reality and inform law enforcement and perhaps data privacy authorities in case people from California ( California Consumer Privacy Act (CCPA)) or Europeans (GDPR) are affected

My employer is doing Dark Web Research, too. We have our own search engine for that and we also check several forums and marketplaces *in real-time*. Are you able to do that, too? 24x7x31 days? Therefore, accept the 20k offer and engage a professional company. Which leads to the next question? Why are you expecting these data in a dark net forum? These data are usually published on Pastebin or other data sharing sites to keep it easy to access them. This is the pressure, these crooks need to make money from this breach. I am simply questioning the dark web search at all for this case. Nevertheless, it makes sense to check these sites from time to time if someone is selling a backdoor for your customer.

regards, Robin

ReplyQuote
Posted : 31/01/2020 3:29 pm
jaclaz
(@jaclaz)
Community Legend

My employer is doing Dark Web Research, too. We have our own search engine for that and we also check several forums and marketplaces *in real-time*. Are you able to do that, too? 24x7x31 days? Therefore, accept the 20k offer and engage a professional company. Which leads to the next question?

May I ask a few "next questions"?

1) Why is the monitoring limited to 1 month? I mean, what if the *whatever* surfaces on the 32nd (or 47th or 71st for that matters) day?

2) If 20 K bucks is adequate/standard for 1 month of this service, what sense has the counter-offer at 8 K ?

3) What happens if the *whatever* actually surfaces *somewhere* (and within the 1 month timeframe) but the monitoring service fails to detect it?

4) Like it often happens when there is little or no objective metrics to measure performance, how would one choose "company A" over "company B" or "company C" for this kind of monitoring service?

jaclaz

ReplyQuote
Posted : 31/01/2020 4:56 pm
rbm411
(@rbm411)
New Member

KeyDet89

As I recall. Two .jse (they were named like zze.jse) files were dropped in \AppData\Roaming\Microsoft\Word\STARTUP and Outlook\STARTUP. As soon as they hit, cmd.exe and wscript.exe executed. Then, within, a few seconds Outlook opened. It was opened from a process not a user. I saw evidence of Smartscreen execution right after the outlook execution but, I don't think it was interactive.

Anyway, after about 2 minutes there was a shell.jse created in the Outlook startup directory and Outlook was re-executed. Searchprotocolhost and conhost execute and next thing you know all mapped drive files are copies of the shell.jse file with the original file name. I remember that in the shell.jse it was written by Thug Life. They didn't leave a message or anything.

It wasn't my place to go any further and the client didn't have any interest as the backups had them running in no time.
However, I always believed that someone was actively pushing those files and executing the commands remotely but there were no RDP events. My suspicion was the encrypting of the files was a diversion to cover data exfiltration.

Then again, what do I know ;>

ReplyQuote
Posted : 01/02/2020 1:14 am
armresl
(@armresl)
Senior Member

Good idea Robin,

The other idea is to sub contract the work and strike a "referral fee" for yourself.

If you just pass the job on to someone else, you find they can then stop calling for things you know how to do and could look to this other company for everything else.

Some of my thoughts here since I am doing IR myself

- it is necessary to check if "Thug Life" has backdoored any other system and if they moved laterally. If in doubt, a proactive Threat Hunt would make sense here and not only a pentest
- threat actors of this kind WILL paste the data if they dont get paid, and they prefer Pastebin for that
- if you pay once, you will pay twice. So do not pay at all and accept the punishment of a public shitstorm for violating security best-practices
- your client has to face the reality and inform law enforcement and perhaps data privacy authorities in case people from California ( California Consumer Privacy Act (CCPA)) or Europeans (GDPR) are affected

My employer is doing Dark Web Research, too. We have our own search engine for that and we also check several forums and marketplaces *in real-time*. Are you able to do that, too? 24x7x31 days? Therefore, accept the 20k offer and engage a professional company. Which leads to the next question? Why are you expecting these data in a dark net forum? These data are usually published on Pastebin or other data sharing sites to keep it easy to access them. This is the pressure, these crooks need to make money from this breach. I am simply questioning the dark web search at all for this case. Nevertheless, it makes sense to check these sites from time to time if someone is selling a backdoor for your customer.

regards, Robin

ReplyQuote
Posted : 01/02/2020 5:27 am
cybertend
(@cybertend)
New Member

Thanks all for the replies, I have been out of pocket for a bit here.

I am speaking with my contact on specifically what they want to monitor and how often, sub-contracting out to an operation who has processes, and most importantly metrics, in place is on the table depending on further discussions.

Agree on the pentest. My focus is defense and forensics, so this would certainly be contracted out if they went through me for this. To date, they have opted to secure these services without my involvement.

Replying to @jaclaz inline…

1) Why is the monitoring limited to 1 month? I mean, what if the *whatever* surfaces on the 32nd (or 47th or 71st for that matters) day?

–CyberTend–Agree I am hoping to secure a 12 month contract as what you point out is the same as I pointed out. I think they are in fire drill mode at the moment and this is therefore a knee-j**k reaction.

2) If 20 K bucks is adequate/standard for 1 month of this service, what sense has the counter-offer at 8 K ?

–CyberTend– My thoughts on the 8k was to limit the scope and secure a 12 month contract. I figured the 20k quote they initially got was due to lots of spin-up and "learning" for only a single months of work. For me, the first couple of months will be rough while we iron out meaningful metrics…I am hopeful I can then write some python or lean on github for some code to help me automate…hopeful anyway.

3) What happens if the *whatever* actually surfaces *somewhere* (and within the 1 month timeframe) but the monitoring service fails to detect it?

–CyberTend– This is absolutely my biggest concern, do they then sue me as I didn't catch it, sever the contract, send out the black coats to off me )? I am going to cover my bases legally before anything is signed here.

4) Like it often happens when there is little or no objective metrics to measure performance, how would one choose "company A" over "company B" or "company C" for this kind of monitoring service?

–CyberTend– 100% agree. These services MUST be metrics drive, somehow…someway…. I am just not coming to any rational conclusion what metrics are actually reasonable for this kind of service. I actually wont take the gig unless me and my contact can agree on what metrics are meaningful. In the absence of metrics it is just me saying O I checked these sites and didn't find anything. This is not acceptable.

Anyone have any experience with A_non_ymous Anon_Paste? I have pretty much stuck to searching pastebin_DOT_com

ReplyQuote
Posted : 04/02/2020 7:15 pm
Share: