Client being extort...
 
Notifications
Clear all

Client being extorted to pay bitcoin or database released

14 Posts
7 Users
0 Likes
822 Views
(@cybertend)
Posts: 22
Eminent Member
Topic starter
 

New to this site and forum…howdy from Texas all.

I am doing DFIR work for a very large global client.
I have been working on touchy issues like this for years with them and they are very happy with me so they tend to ask questions outside of DFIR for guidance on occasion.

Today was such an occasion..here are the details and what I have directed them to do thus far.
This is a bit out of scope for DFIR, but thought that folks here would have some thoughts….

_______
Client called and stated an entity called "Thug Life" sent an anon email stating if they dont pay X in bitcoin they would release Y database. A sample of the database was provided so it is believed that this is legitimate threat.

Client wants to see if they can identify "Thug Life"

My direct response
(for brevity "Thug Life" == TL, direct communications to client will be noted by a ->)

-> Do the usual, provide a copy of the email, headers and such. I am doubtful anything here will be of value if TL practiced basic opsec.

-> TL is very generic so it will be difficult to hit any groups directly associated with the TL that contacted you.

This could be an inside job so I relayed
-> Add new string/strings in your IDS and/or SIEM to match on key terms/words associated with the email hosting provider, dbase terms and usage of TOR.
This would absolutely be fruitful if tracked to an internal employee.

To search web/darkweb for TL (all of these are risky options IMHO)
-> Search pastebin.com for your company name, terms in the database and anything else that would be relevant.
-> Search darkweb market sites for this dbase for sale…this is very risky of course and could tip off the evildoer.
I gave the client instructions on how to set-up an anon email with protonmail and how to access a hiddenwiki of market sites.
Even if they found the TL they are looking for, what are they going to do about it if an external entity.
________

Thanks and I am sure this will be a lively discussion.

 
Posted : 24/01/2020 7:32 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

First off, I don't think that this is particularly out of scope for DFIR, as I worked a case very similar to this back before there was bitcoin. 😉

So, the company is relatively sure that the sample that the bad guy provided is legit…that's a start.

Based on the sample, do they have a time frame on which to place this event? From there, perhaps a review of available data (logs, etc.) might reveal how the data was exposed, and help determine if this was likely an inside job, or the result of a breach.

Something for the company to consider is, how much effort do they have to expend, and of that, how much do they want to put into finding "TL"? The reason I ask is, has the company stated the end game in their mind? Is it prosecution? If so, the breach itself could then become part of the public record. I know that law enforcement (in the US) has worked to keep company names out of suits that are filed, but once in court, there's little to prevent the defense from making the company name public.

As resources are usually limited, my suggestion would be that the company pursue determining how the data was exposed, and from then proceed from there.

 
Posted : 24/01/2020 9:21 pm
(@cybertend)
Posts: 22
Eminent Member
Topic starter
 

Thanks for the nice reply keydet89. Makes sense to put the focus on how the data was obtained in the first place rather than focusing on trying to identify "TL" in the wild.

 
Posted : 24/01/2020 9:59 pm
(@rbm411)
Posts: 3
New Member
 

I tripped across Thug Life twice this summer while investigating separate ransomware incidents. The incident started by dropping a jscript file in the Outlook and Word startup directories. It then converted all files on mapped drives to .json files. It didn't touch local files.

They didn't leave a note anywhere. I was only allowed to investigate the PC so I don't know how it got in, however, it didn't appear to come from an email or attachment.

 
Posted : 27/01/2020 8:23 pm
(@rich2005)
Posts: 535
Honorable Member
 

As resources are usually limited, my suggestion would be that the company pursue determining how the data was exposed, and from then proceed from there.

That's definitely got to be the course of action….as it's always going to be hard to be certain you're not still compromised (in one or more ways)….much more so if you don't know how you were compromised in the first place! After all, if the hole isn't plugged, the same thing could happen again (whether by the same person or someone else).
On top of trying to "plug the hole" or remove any remaining threat, it's probably a good idea to see if you can work out whether that's the only thing that was taken, as it's not guaranteed that database isn't just the thin end of the wedge.
(the previous post by rbm411 certainly lends weight to the likelihood it's a breach)

Regardless of the future action the big company takes, I think it would be irresponsible of them to not, at the bare minimum, seek to try to identify
1) How they got in
2) Is any threat still present
3) Are they still vulnerable to the method of entry
4) What data was accessed/taken (rather than just assuming it's solely the database being ransomed)
and later
5) Review whether their security is sufficient both to prevent intrusions as well as to facilitate their investigation quickly/easily

Not only for their own benefit but because I assume they likely have personal/client/employee data somewhere on their systems (and all the business/legal implications of that).

 
Posted : 28/01/2020 10:50 am
(@cybertend)
Posts: 22
Eminent Member
Topic starter
 

Thanks so much everyone for all the reply's and great suggestions.
rbm411 this is very very good intel from you and I am going to pass this on to them.

My contact did say they have determined how Thug Life got in and that the issue is fixed.
I did't ask, of course, and my contact did not disclose any TTP's.

I can start a totally different thread for this next one thrown at me if that is appropriate moderators

My contact did say the C-Levels are concerned enough that the CIO there instructed the security team to "monitor the dark web" for their company name or other indicators that point to a legitimate or planned attack/breach.

Unable and unequipped to do this internally, they contacted one of the large accounting firms and got a quote of $20,000 for one month of "Dark Web" monitoring.
To me, and my contact, this is somewhat of a challenge as
a) How exactly are you going to monitor the dark web.
b) Even if you find some indicators, what are you going to do about it.

BUT my contact said look, if you can put together a quote/proposal to do the same thing for say $8,000 I will give you the contract. Now they have my attention as I am a small 2 man shop trying to put two kiddos through college ).

My plan is this
a) monitor pastebin sites.
b) join several of the dark web markets and search for any databases for sale.
c) ?

This may be out of the scope/inappropriate for this site, but does anyone have any thoughts?
I was going to search through this site and forums for previous recommendations.
explore what Experian states they do for their offering of "dark web monitoring"
Look into github for any tools.

I would appreciate any suggestions and I would be happy to send a box o steaks from Texas for some good suggestions that actually work ).

 
Posted : 30/01/2020 10:56 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

I tripped across Thug Life twice this summer while investigating separate ransomware incidents. The incident started by dropping a jscript file in the Outlook and Word startup directories.

Can you elaborate a bit and provide the directory paths?

Thanks.

 
Posted : 30/01/2020 11:30 pm
(@rich2005)
Posts: 535
Honorable Member
 

Unable and unequipped to do this internally, they contacted one of the large accounting firms and got a quote of $20,000 for one month of "Dark Web" monitoring.
To me, and my contact, this is somewhat laughable as
a) How exactly are you going to monitor the dark web.
b) Even if you find some indicators, what are you going to do about it.

BUT my contact said look, if you can put together a quote/proposal to do the same thing for say $8,000 I will give you the contract. Now they have my attention as I am a small 2 man shop trying to put two kiddos through college ).

My plan is this
a) monitor pastebin sites.
b) join several of the dark web markets and search for any databases for sale.
c) ?

This may be out of the scope/inappropriate for this site, but does anyone have any thoughts?

It's impossible to know how good (or not) the competitor is without knowing their processes.
It might be something you could easily do yourself but it also might be something impossible to replicate quickly.
Firstly you have the issue of knowing all the places on the "dark web" (I hate that term) to look at. By their very nature, that's impossible. Therefore anyone (or any company) seeking to monitor the dark web would have to initially (and likely on an ever-growing basis) identify areas to monitor (whether a website or some other communication/file-transfer setup). Even if identified, many of these "areas" may not be public and require authorisation to access, payment, vetting (initial and/or on-going, to build up a history).
Essentially doing it properly would be a difficult and labour-intensive on-going covert investigation, likely requiring both technical and investigative skill to be good at it. There might perhaps be some kind of automated methods to assist in the identification of areas to look at, or monitoring of unguarded areas, but that would just be the thin end of the wedge.
Of course your client may not know any of that, and their competitor might also be poor, however the truth of the matter is it's a difficult task to accomplish, and best done by an investigator that does this (and has been doing it) for a long time, and ideally a team of them, due to the scale of the essentially impossible task.

 
Posted : 31/01/2020 8:23 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Personally, I would call that finding a needle in the haystack, and, as you say, once (if) you find it, what are you gonna do with that info?

If the (relevant) data has already being exfiltrated there is no way on earth to stop them to be sold/exchanged, so that is anyway a dead end.

The monitoring might be a proactive way to see if there are signs of related activity, or explicited plans for new intrusions, but I doubt that they can be found before they are put into practice.

The only use I can see of this monitoring would be checking if there is anything not related to the specific company, but about the tools/infrastructure the company uses (unless they are somehow proprietary/custom).

I mean, I don't think likely that anyone will post something *like*
"Hey peeps, I have this nice exploit/credentials/whatever to penetrate company xyz's site/cloud/whatever anyone wants to buy it for a mere <insert here a number> bitcoins/fantacoins/whatever."

While, if they post something more *like*
"Hey peeps, I have here a nice database I got from company xyz, any taker?"
it is already too late.

Still personally I would invest those 20 K bucks (or more) in penetration testing, which of course gives as well no guarantees of any tangible result, but that may identify one or more possible weak points in the setup.

This said, maybe OSINT tools *like* spiderfoot
https://www.spiderfoot.net/
https://github.com/smicallef/spiderfoot
may provide some insight ? .

jaclaz

 
Posted : 31/01/2020 9:01 am
Bunnysniper
(@bunnysniper)
Posts: 257
Reputable Member
 

Some of my thoughts here since I am doing IR myself

- it is necessary to check if "Thug Life" has backdoored any other system and if they moved laterally. If in doubt, a proactive Threat Hunt would make sense here and not only a pentest
- threat actors of this kind WILL paste the data if they dont get paid, and they prefer Pastebin for that
- if you pay once, you will pay twice. So do not pay at all and accept the punishment of a public shitstorm for violating security best-practices
- your client has to face the reality and inform law enforcement and perhaps data privacy authorities in case people from California ( California Consumer Privacy Act (CCPA)) or Europeans (GDPR) are affected

My employer is doing Dark Web Research, too. We have our own search engine for that and we also check several forums and marketplaces *in real-time*. Are you able to do that, too? 24x7x31 days? Therefore, accept the 20k offer and engage a professional company. Which leads to the next question? Why are you expecting these data in a dark net forum? These data are usually published on Pastebin or other data sharing sites to keep it easy to access them. This is the pressure, these crooks need to make money from this breach. I am simply questioning the dark web search at all for this case. Nevertheless, it makes sense to check these sites from time to time if someone is selling a backdoor for your customer.

regards, Robin

 
Posted : 31/01/2020 3:29 pm
Page 1 / 2
Share: