Cybersecurity researchers detail various steps taken by ransomware attackers to hide their true identity online and the hosting location of their web server infrastructure.
“Most ransomware operators use hosting providers outside their country of origin (Sweden, Germany, Singapore, etc.) to host their ransomware operations sites,” said Paul Eubanks, a researcher at Cisco Talos. increase. Said.. “They use VPS hoppoints as proxies to hide their actual location when connecting to the ransomware web infrastructure for remote management tasks.”
It is also noticeable to use the TOR network and DNS proxy registration services to add a layer of anonymity to illegal operations.
However, last week, cybersecurity companies revealed that they were able to use attacker operational security missteps and other techniques to identify TOR hidden services hosted on public IP addresses. Dark Angels, snatch, quantumWhen Nokoyawa Ransomware group.
The ransomware group is known to rely on the dark web to hide fraudulent activity, from leaking stolen data to negotiating payments with victims, Talos said. We were able to identify the public IP address hosting the same threat actor infrastructure as. ” web. “
“The method used to identify the public internet IP included threat actor matching. [self-signed] TLS certificate Serial numbers and page elements are indexed on the public Internet. “
In addition to TLS certificate matching, the second method adopted to reveal the attacker’s clear web infrastructure is a favicon associated with a darknet website using a web crawler such as Shodan. Had to match with the public internet.
in the case of NokoyawaA new Windows ransomware stock, TOR Hidden Service-hosted site, which appeared earlier this year and shares substantial code similarities with Karma, has a flaw in directory traversal, researchers said./var/log/auth.log“The file used to capture the user login.
The findings show that not only can all users on the Internet access criminal leaked sites, but other infrastructure components, including identification of server data, remain exposed and logins used to manage ransomware servers. It shows that you can get the location effectively.
Further analysis of successful root user logins revealed that they originated from two IP addresses 5.230.29.[.]12 and 176.119.0[.]The former belongs to GHOSTnet GmbH, a hosting provider that provides virtual private server (VPS) services.
“176.119.0[.]However, 195 belongs to AS58271, which is listed under the name Tyatkova Oksana Valerievna, “says Eubanks. .0[.]195. “
LockBit adds a bug bounty program to improved RaaS operations
Development comes as an emerging operator Black busta Ransomware Expansion Weapon of attack by using QakBot for initial access and lateral movement and exploiting the Print Nightmare vulnerability (CVE-2021-34527) Perform a privileged file operation.
In addition, last week’s LockBit ransomware gang publication The release of LockBit 3.0 includes the message “Make Ransomware Great Again!” And launches its own bug bounty program for “great ideas” to identify security flaws and improve software. You will be rewarded with $ 1,000 to $ 1 million.
Satnam Narang, Senior Staff Research Engineer at Tenable, said: In hacker news.
“The main focus of the bug bounty program is defense. How to prevent security researchers and law enforcement agencies from finding bugs on leak sites and ransomware, and how members, including affiliate program bosses, can be fooled. Identify and find bugs in messaging. Software used by the group for internal communications and the Tor network itself. “
“The threats exposed and identified show that law enforcement efforts are clearly a major concern for groups like LockBit. Finally, Zcash is more difficult to track than Bitcoin, so the group Plans to offer Zcash as a payment option, making it difficult for researchers to monitor the activities of the group. “
Researchers share technology for discovering anonymized ransomware sites on the dark web
https://thehackernews.com/2022/07/researchers-share-techniques-to-uncover.html Researchers share technology for discovering anonymized ransomware sites on the dark web