My employer is doing Dark Web Research, too. We have our own search engine for that and we also check several forums and marketplaces *in real-time*. Are you able to do that, too? 24x7x31 days? Therefore, accept the 20k offer and engage a professional company. Which leads to the next question?
May I ask a few "next questions"?
1) Why is the monitoring limited to 1 month? I mean, what if the *whatever* surfaces on the 32nd (or 47th or 71st for that matters) day?
2) If 20 K bucks is adequate/standard for 1 month of this service, what sense has the counter-offer at 8 K ?
3) What happens if the *whatever* actually surfaces *somewhere* (and within the 1 month timeframe) but the monitoring service fails to detect it?
4) Like it often happens when there is little or no objective metrics to measure performance, how would one choose "company A" over "company B" or "company C" for this kind of monitoring service?
jaclaz
KeyDet89
As I recall. Two .jse (they were named like zze.jse) files were dropped in \AppData\Roaming\Microsoft\Word\STARTUP and Outlook\STARTUP. As soon as they hit, cmd.exe and wscript.exe executed. Then, within, a few seconds Outlook opened. It was opened from a process not a user. I saw evidence of Smartscreen execution right after the outlook execution but, I don't think it was interactive.
Anyway, after about 2 minutes there was a shell.jse created in the Outlook startup directory and Outlook was re-executed. Searchprotocolhost and conhost execute and next thing you know all mapped drive files are copies of the shell.jse file with the original file name. I remember that in the shell.jse it was written by Thug Life. They didn't leave a message or anything.
It wasn't my place to go any further and the client didn't have any interest as the backups had them running in no time.
However, I always believed that someone was actively pushing those files and executing the commands remotely but there were no RDP events. My suspicion was the encrypting of the files was a diversion to cover data exfiltration.
Then again, what do I know ;>
Good idea Robin,
The other idea is to sub contract the work and strike a "referral fee" for yourself.
If you just pass the job on to someone else, you find they can then stop calling for things you know how to do and could look to this other company for everything else.
Some of my thoughts here since I am doing IR myself
- it is necessary to check if "Thug Life" has backdoored any other system and if they moved laterally. If in doubt, a proactive Threat Hunt would make sense here and not only a pentest
- threat actors of this kind WILL paste the data if they dont get paid, and they prefer Pastebin for that
- if you pay once, you will pay twice. So do not pay at all and accept the punishment of a public shitstorm for violating security best-practices
- your client has to face the reality and inform law enforcement and perhaps data privacy authorities in case people from California ( California Consumer Privacy Act (CCPA)) or Europeans (GDPR) are affectedMy employer is doing Dark Web Research, too. We have our own search engine for that and we also check several forums and marketplaces *in real-time*. Are you able to do that, too? 24x7x31 days? Therefore, accept the 20k offer and engage a professional company. Which leads to the next question? Why are you expecting these data in a dark net forum? These data are usually published on Pastebin or other data sharing sites to keep it easy to access them. This is the pressure, these crooks need to make money from this breach. I am simply questioning the dark web search at all for this case. Nevertheless, it makes sense to check these sites from time to time if someone is selling a backdoor for your customer.
regards, Robin
Thanks all for the replies, I have been out of pocket for a bit here.
I am speaking with my contact on specifically what they want to monitor and how often, sub-contracting out to an operation who has processes, and most importantly metrics, in place is on the table depending on further discussions.
Agree on the pentest. My focus is defense and forensics, so this would certainly be contracted out if they went through me for this. To date, they have opted to secure these services without my involvement.
Replying to @jaclaz inline…
1) Why is the monitoring limited to 1 month? I mean, what if the *whatever* surfaces on the 32nd (or 47th or 71st for that matters) day?
–CyberTend–Agree I am hoping to secure a 12 month contract as what you point out is the same as I pointed out. I think they are in fire drill mode at the moment and this is therefore a knee-j**k reaction.
2) If 20 K bucks is adequate/standard for 1 month of this service, what sense has the counter-offer at 8 K ?
–CyberTend– My thoughts on the 8k was to limit the scope and secure a 12 month contract. I figured the 20k quote they initially got was due to lots of spin-up and "learning" for only a single months of work. For me, the first couple of months will be rough while we iron out meaningful metrics…I am hopeful I can then write some python or lean on github for some code to help me automate…hopeful anyway.
3) What happens if the *whatever* actually surfaces *somewhere* (and within the 1 month timeframe) but the monitoring service fails to detect it?
–CyberTend– This is absolutely my biggest concern, do they then sue me as I didn't catch it, sever the contract, send out the black coats to off me )? I am going to cover my bases legally before anything is signed here.
4) Like it often happens when there is little or no objective metrics to measure performance, how would one choose "company A" over "company B" or "company C" for this kind of monitoring service?
–CyberTend– 100% agree. These services MUST be metrics drive, somehow…someway…. I am just not coming to any rational conclusion what metrics are actually reasonable for this kind of service. I actually wont take the gig unless me and my contact can agree on what metrics are meaningful. In the absence of metrics it is just me saying O I checked these sites and didn't find anything. This is not acceptable.
Anyone have any experience with A_non_ymous Anon_Paste? I have pretty much stuck to searching pastebin_DOT_com