In Episode 2 of Know Your Adversary™, we discuss an attempted compromise of a managed service provider (MSP) by a disgruntled former employee who tried to sell backdoor access on the dark web. Our guest is former Senior FBI Computer Scientist and current VP of Threat Hunting & Counterintelligence at Binary Defense, Randy Pargman.
In 2019, Binary Defense engaged with an actor selling backdoor, unauthorized, and illegal access to an MSP in the eastern United States. The MSP provided out-source IT functions for many companies, and a compromise of their systems would have a major impact on hundreds of their clients. The actor, who identified himself only as “W0zniak,” attempted to sell the username and password for $600. In order to ensure confidentiality and proper legal engagement, Binary Defense coordinated with the FBI to properly conduct a “controlled purchase” of the credentials, inform the MSP, prevent any other threat actor from buying or accessing the MSP with the same credentials, help the FBI attribute and unmask the individual, and bring the actor to justice.
Here are some of the key takeaways from the episode:
Threat Actors Sell Access to Victim Networks using a Variety of Methods. In most cases, actors typically fall into several groups. Those that sell access, buy access, gain access and persist (ransomware, espionage, etc.), steal valuable information, and facilitate the payment(s) can all be different individuals or groups. In this case, a former employee created credentials with the intent to sell to another criminal(s). Unfortunately, he sold them to the good guys, Binary Defense and the FBI.
The Case for More Aggressive Attribution and Unmasking of Adversaries. An enterprise often needs to have the ability to determine if an attack is a target of opportunity (drive-by scam or smash and grab) or well-orchestrated and directed with a specific purpose in mind (insider threat, espionage to gain information, targeted fraud, and ransomware). When it’s clear an enterprise is under a direct assault, unmasking identities for attribution is often warranted in order to disrupt the attack and identify the perpetrator. Selling unauthorized access that could impact hundreds of other commercial victims justifies unmasking at the identity level to prevent the initial and potential subsequent attacks.