Product Management Confabulation
What Product Managers are talking about.
Imagine being able to sit behind a hacker and observe them take control of a computer and play around with it.
That’s pretty much what two security researchers did thanks to a large network of computers set up as a honeypot for hackers.
The researchers deployed several Windows servers deliberately exposed on the internet, set up with Remote Desktop Protocol, or RDP, meaning that hackers could remotely control the compromised servers as if they were regular users, being able to type and click around.
Thanks to these honeypots, the researchers were able to record 190 million events and 100 hours of video footage of hackers taking control of the servers and performing a series of actions on them, including reconnaissance, installing malware that mines cryptocurrencies, using Android emulators to conduct click fraud, brute-forcing passwords for other computers, hiding the hackers’ identities by using the honeypot as a starting point for another attack, and even watching porn. The researchers said a hacker successfully logging into its honeypot can generate “tens of events” alone.
“It’s basically like a surveillance camera for RDP system because we see everything,” Andréanne Bergeron, who has a Ph.D. in criminology from the University of Montreal, told TechCrunch.
Bergeron, who also works for cybersecurity firm GoSecure, worked with her colleague Olivier Bilodeau on this research. The two presented their findings on Wednesday at the Black Hat cybersecurity conference in Las Vegas.
The two researchers classified the type of hackers based on Dungeons and Dragons character types.
The “Rangers,” according to the two, carefully explored the hacked computers, doing reconnaissance, sometimes changing passwords, and mostly leaving it at that. “Our hypothesis is that they are evaluating the system they compromised so that another profile of attacker can come back later,” the researchers wrote in a blog post published on Wednesday to accompany their talk.
The “Barbarians” use the compromised honeypot computers to try and bruteforce into other computers using known lists of hacked usernames and passwords, sometimes using tools such as Masscan, a legitimate tool that allows users to port-scan the whole internet, according to the researchers.
The “Wizards” use the honeypot as a platform to connect to other computers in an attempt to hide their trails and the actual origin of their attacks. According to what Bergeron and Bilodeau wrote in their blog post, defensive teams can gather threat intelligence on these hackers, and “reach deeper into compromised infrastructure.”
According to Bergeron and Bilodeau, the “Thieves” have the clear goal of monetizing their access to these honeypots. They may do that by installing crypto miners, programs to perform click fraud or generate fake traffic to websites they control, and selling access to the honeypot itself to other hackers.
Finally, the “Bards” are hackers with very little or almost no skills. These hackers used the honeypots to use Google to search for malware, and even watch porn. These hackers sometimes used cell phones instead of desktop or laptop computers to connect to the honeypots. Bergeron and Bilodeau said they believe this type of hacker sometimes uses the compromised computers to download porn, something that may be banned or censored in their country of origin.
In one case, a hacker “was downloading the porn and sending it to himself via Telegram. So basically circumventing a country-level ban on porn,” Bilodeau told TechCrunch. “What I think [the hacker] does with this then is download it in an internet cafe, using Telegram, and then he can put it on USB keys, and he can sell it.”
Bergeron and Bilodeau concluded that being able to observe hackers interact with this type of honeypots could be very useful not just for researchers like them, but also law enforcement or cybersecurity defensive teams — also known as blue teams.
“Law enforcement could lawfully intercept the RDP environments used by ransomware groups and collect intelligence in recorded sessions for use in investigations,” the researchers wrote in the blog post. “Blue teams for their part can consume the [Indicators of Compromise] and roll out their own traps in order to further protect their organization, as this will give them extensive documentation of opportunistic attackers’ tradecraft.”
Moreover, if hackers start to suspect that the servers they compromise may be honeypots, they will have to change strategies and decide whether the risks of being caught are worth it, “leading to a slow down which will ultimately benefit everyone,” according to the researchers.
Read more on TechCrunch:
The U.S. government accused a cybersecurity professional of hacking a cryptocurrency exchange and stealing around $9 million in cryptocurrency, in what looks like a case of an ethical hacker turning rogue, then trying to appear ethical again.
In a press release on Tuesday, the U.S. Attorney’s Office of the Southern District of New York announced the indictment of Shakeeb Ahmed, 34, calling him “a senior security engineer for an international technology company whose resume reflected skills in, among other things, reverse engineering smart contracts and blockchain audits, which are some of the specialized skills AHMED used to execute the attack.”
While the prosecutors did not specify who the victim was, cryptocurrency news website Coindesk reported that the description and date of the hack match the attack on Crema Finance, a Solana-based exchange, which happened in early July 2022, around the same date — July 2 and 3 — that Ahmed is alleged to have hacked the unnamed exchange.
In that case, the hacker ended up returning around $8 million in crypto and keeping the rest, as it was reported at the time. In its press release, DOJ prosecutors said that Ahmed “had communications with the Crypto Exchange in which he decided to return all of the stolen funds except for $1.5 million if the Crypto Exchange agreed not to refer the attack to law enforcement.”
This is a very common practice in the world of crypto and web3. In the past, hackers who stole crypto and offered to return parts of it by negotiating with the victims directly have sometimes called themselves “white hats,” cybersecurity lingo for hackers who have good intentions. Clearly, these hackers have taken what is a word with a pretty clear and established meaning and co-opted it for a practice that resides — to say the least — in a gray area.
And, as this case shows, returning some of your crypto loot does not mean you will not be prosecuted.
The feds highlighted the fact that Ahmed, who is accused of wire fraud and money laundering, used the chops he learned in his day jobs to carry out the theft.
“Ahmed used his skills as a computer security engineer to steal millions of dollars. He then allegedly tried to hide the stolen funds, but his skills were no match for IRS Criminal Investigation’s Cyber Crimes Unit,” Special Agent in Charge Tyler Hatcher, who works for IRC-CI, the criminal investigation branch of the IRS, is quoted as saying in the press release.
Ahmed allegedly exploited a vulnerability in the exchange and inserted “fake pricing data to fraudulently generate millions of dollars’ worth of inflated fees,” which he did not actually earn, but was still able to withdraw,” according to the indictment against Ahmed.
Then, according to the feds, Ahmed allegedly laundered the stolen crypto “through a series of transactions,” such as swapping tokens, “bridging” the proceeds from the Solana blockchain to the Ethereum blockchain, among others.
Later, Ahmed also allegedly searched online for information on the hack, “his own criminal liability,” attorneys who had expertise in similar cases, whether law enforcement could investigate such an attack, and “fleeing the United States to avoid criminal charges.”
Do you have information about this hack, other cyberattacks against crypto projects, or thefts of cryptocurrency? We’d love to hear from you. From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Wickr, Telegram and Wire @lorenzofb, or email lorenzo@techcrunch.com. You can also contact TechCrunch via SecureDrop.
Cybersecurity professional accused of stealing $9 million in crypto by Lorenzo Franceschi-Bicchierai originally published on TechCrunch
A hacktivist group broke into an online system belonging to the Texas city of Fort Worth, stole several gigabytes of data, and then posted it online.
On Saturday, Fort Worth officials admitted that it suffered a data breach, but said that after reviewing the leaked data, “at this time, there is no indication that sensitive information related to residents or staff are a part of this incident,” and that the data “was not sensitive and would be information releasable to the public through a Public Information Request.”
In an online post on its official website, the city said that the leaked data included “attachments to work orders, including photos, spreadsheets, invoices, emails, PDF documents and other material related to work orders.”
“There is no evidence at this time that any other systems were accessed, nor any evidence that sensitive data such as social security numbers, credit card or banking information was accessed, nor released,” the post read.
The city said that an example of the stolen data is “the address of a home with a pothole in the City street in front of the home, that needs to filled, [sic] as well as a picture of the pothole.”
A cursory review of the leaked files shows several pictures of potholes, tilted traffic signs, or fallen down traffic lights, and email messages between city employees. There is also a document that includes the names, work phone numbers, and email addresses of Fort Worth’s employees.
The hacktivist group goes by SiegedSec, and it claimed the hack on its Telegram channel, saying “we have decided to make a message towards the U.S government. Texas happens to be one of the largest states banning gender affirming care, and for that, we have made Texas our target. Fuck the government.”
The hackers did not immediately respond to a request for comment sent to the email address published on their Telegram channel. Representatives from Fort Worth also did not respond to a request for comment.
The city wrote that the hackers accessed “an internal information system, an application named Vueworks,” by acquiring login credentials to it, although the city said it still doesn’t know how the hackers got those credentials.
The city is asking users of the affected system to reset passwords, is reviewing “sources of information to determine the scope and depth of this incident specific to VueWorks,” and it’s working with law enforcement and computer forensic experts.
SiegedSec has a history of data breaches. Earlier this year, the group leaked data stolen from software giants Atlassian, and workplace management services startup Envoy. Last year, with the goal of protesting abortion restrictions in the U.S, the group targeted the IP addresses of U.S. companies that had exposed industrial control systems (ICS) ports, according to cybersecurity firm Mandiant.
Do you have information about SiegedSec or other hacktivist groups? We’d love to hear from you. From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Wickr, Telegram and Wire @lorenzofb, or email lorenzo@techcrunch.com. You can also contact TechCrunch via SecureDrop.
Hacktivists steal government files from Texas city Fort Worth by Lorenzo Franceschi-Bicchierai originally published on TechCrunch
Three months after arresting its administrator, U.S. federal authorities have seized the domain of notorious hacking site BreachForums.
For a time, the forum was the go-to community for English speaking cybercriminals, who would share, advertise, and sell personal data stolen from a variety of websites and companies. In March, the FBI arrested Conor Brian Fitzpatrick in New York, accusing him of being the man behind the nickname “Pompompurin,” the administrator of BreachForums. Shortly after, the site’s new administrator shut down the forum, promising it would never come back.
On Thursday, the content of the old site was replaced with a notice that authorities have seized the domain. The notice displays ten logos of law enforcement agencies from around the globe, the BreachForums logo, and — in what appears to be an epic troll — an image of a handcuffed Pompompurin, a character originally from Hello Kitty.
Earlier this month, however, the new admin, who goes by “Baphomet,” had a change of heart and relaunched the forum on a new domain, teaming up with another notorious hacker group who goes by ShinyHunters.
“Hello, Welcome to BreachForums (reincarnated)! This forum is back with the original team behind Breachforums,” an account called ShinyHunters posted in the new forum.
In another post, Baphomet wrote: “For those somehow not in the loop, I wanted to put out a clear message. We have established the community once again […] This is our only domain, no other domains should be trusted.”
Neither Baphomet nor ShinyHunters immediately responded to requests for comment sent to their Telegram accounts.
The short existence of the new BreachForums has already been rocky. Earlier this week, someone leaked the personal data of more than 4,200 registered members, including nicknames, the associated email addresses, IP addresses, social media handles, scrambled passwords, and other data. One of the new site’s administrators wrote on Telegram that there had been a breach, accusing a rival forum of the hack, as first reported by the cybersecurity blog HackRead.
TechCrunch has seen a copy of the leaked forum data, which was briefly published as downloadable links from the old BreachForums page shortly before the domain was seized. The leaked data included the user’s registered email address, IP address, and their scrambled passwords. Another file contained the user database for the forum itself, including Telegram handles and forum signatures.
Timestamps found in the dataset suggest the data relates to accounts created as recently as June.
According to the note left on the since-seized site: “BreachForums clone has already been hacked. Do not trust websites impersonating, as said multiple times it wont [sic] be returning.”
The authorities have been going after hacking forums for the last couple of years, shutting down and seizing RaidForums, another well-known hacking forum, in 2022. The original BreachForums was launched after the end of RaidForums.
Do you have information about BreachForums? We’d love to hear from you. From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Wickr, Telegram and Wire @lorenzofb, or email lorenzo@techcrunch.com. You can also contact TechCrunch via SecureDrop.
Feds seize notorious and shuttered hacking site BreachForums by Lorenzo Franceschi-Bicchierai originally published on TechCrunch
A database containing the details of almost half-a-million RaidForums users has leaked online, a year after the U.S. Department of Justice seized the notorious cybercrime forum.
The leaked database was posted on Exposed, described by security researchers as an up-and-coming forum “wanting to fill the void” left by the recent BreachForums shutdown. An Exposed admin, known as “Impotent,” posted the alleged RaidForums user data, which includes the details of 478,000 users, including their usernames, email addresses, hashed passwords and registration dates.
“All of the users that were on raidforums may have been infected,” the admin’s post says. RaidForums had around 550,000 users at the time of its shutdown last year.
The admin added that some users’ details have been removed from the leak, though it’s unclear how many or the reasoning behind this.
The exposed data is already likely in the hands of law enforcement following RaidForums’ seizure by U.S. authorities, but may help security researchers investigating the forum’s historic activity.
RaidForums, which launched in 2015, became one of the world’s largest hacking forums. It was used by cybercriminals to primarily buy and sell stolen databases. That included over a million passwords for cryptocurrency wallet service Gatehub, and millions of stolen T-Mobile customer accounts. The Lapsus$ hacking group also reportedly used the hacking forum.
The U.S. Department of Justice announced that it had seized RaidForums’ website and infrastructure in April 2022 as part of an international law enforcement operation. RaidForums’ administrator, known as “Omnipotent,” and two of his accomplices were also arrested. Before the forum’s seizure, hundreds of databases of stolen data containing more than 10 billion unique records for individuals had been offered for sale, prosecutors said.
U.S. law enforcement agencies also recently announced that they had arrested a man alleged to be “Pompompurin,” the administrator of the infamous BreachForums, which arrived following RaidForums’ demise and served the same purpose and audience.
Days after the arrest, the cybercrime website’s new administrator announced that they were shutting down the forum for good.
RaidForums user data leaked online a year after DOJ takedown by Carly Page originally published on TechCrunch
The U.S. government announced new sanctions against North Korea related to its army of illicit IT workers that have fraudulently gained employment to finance the regime’s weapons of mass destruction programs.
North Korea maintains thousands of “highly skilled” IT workers around the world, primarily in China and Russia, which “generate revenue that contributes to its unlawful weapons of mass destruction and ballistic missile programs”, according to an announcement from the U.S. Treasury Department on Tuesday.
These individuals, which in some cases earn upwards of $300,000 a year, deliberately obfuscate their identities, locations, and nationalities using stolen identities and falsified documentation to apply for jobs with employers located in “wealthier countries.” They have secretly worked in various positions and industries, including the fields of “business, health and fitness, social networking, sports, entertainment, and lifestyle,” the announcement read.
While these individuals tend to engage in legitimate IT work unrelated to malicious cyber activity, mainly on cryptocurrency projects, they use virtual currency exchanges and trading platforms to launder illicitly obtained funds back to the DPRK, according to the announcement.
The Treasury on Tuesday announced sanctions against four entities employing “thousands” of North Korean IT workers. One of these is the Pyongyang University of Automation, which the Treasury described as one of North Korea’s “premier cyber instruction institutions.”.The institution is said to have been training cybercriminals who go on to work in cyber units tied to the Reconnaissance General Bureau (RGB) — the country’s primary intelligence agency.
The Treasury also sanctioned the Technical Reconnaissance Bureau and its 110th Research Center, which lead the DPRK’s development of offensive cyber tactics and tools. The center is also believed to have trained operatives of the notorious Lazarus Group, which was linked to the theft of $625 million in cryptocurrency from Ronin, an Ethereum-based sidechain made for the popular play-to-earn game Axie Infinity.
Sanctions were also announced against the Chinyong Information Technology Cooperation Company and an individual named King San Man in relation to their IT worker activities.
“Today’s action continues to highlight the DPRK’s extensive illicit cyber and IT worker operations, which finance the regime’s unlawful weapons of mass destruction and ballistic missile programs,” said Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson. “The United States and our partners remain committed to combatting the DPRK’s illicit revenue generation activities and continued efforts to steal money from financial institutions, virtual currency exchanges, companies, and private individuals around the world.”
The U.S. government also warned earlier last year that North Korean-backed hackers were targeting employees of cryptocurrency companies by sending highly-targeted phishing emails that would include a high-paying job offer to try to entice the victim to download a trojanized cryptocurrency application.
US government targets North Korea’s illicit IT workforce with new sanctions by Carly Page originally published on TechCrunch