How hackers automate attacks against cPanel for spamming and malware distribution

It's a lot more involved than just hacking in. Um we've got infosstealers that we seeing in the hosting industry. So it goes down the track of info steelers and how info steelers play a part in uh cyber security and uh affects you know all businesses. Okay. Okay. Who am I? Uh, I'm Robbie Abraham. I'm the cyber threat operations lead for a company called Newfold Digital. People don't know that name and that's fine. Um, but you'll know our brands. We own crazy domains. Digital Pacific, HostGator Bluehost Domain.com Web.com. Roughly about 400 different brands of ours um run the internet. Uh, roughly 5 to 10% of the internet. Uh what my title means is you know people hear cyber threat operations.

What what is that? I get to read reports. I get to play with intelligence and then I take all my reports and go hunting. And being on the cutting edge of the internet is a really fun place to be because you get to see stuff that normal people won't get to see. We see nation states trying new malware. So it gives us that insight of doing that. In my spare time, I do CTFs. Recently competed in the Huntress CTF that was celebrating um the October for cyber security awareness. I'm a massive PC gamer um playing Battlefield 6 at the moment and Arc Raiders. So, if you if you play those games, reach out. I'm happy to

play. And um one thing I see in common in in it is not many people get out and touch grass. We're always in the office, right? So this year I decided to take up archery and that's my way of touching grass. And last week I shot my first game at 250, sorry, at 50 m. I got a 237 out of 300. So I was pretty impressed with that for first time doing that range. Oops. Oops. Oops. I jumped way ahead. So, so today's talk, uh, again, I'm going to demonstrate how hackers get hold of stolen credentials. And my example is web info stealers. Um we're going to look at how hackers and and we'll take

the role of the hacker use burp suite to validate a credential. We also will uh automate the process and look at the process of creating an email address for attack purposes and we'll upload our fictitious fishing site that we're going to uh attack a business. So disclaimer, I'm here on my personal capacity as a threat hunter and researcher. I do not represent my company today, but all my research is done being a threat hunter in my company. So firstly, let's talk about C panel. Hands up. Who knows what C panel is? See a lot of people know us. CPanel has been around for 1996. Uh what we see is C panel still is the most relevant player

in the hosting industry even though you got the players like a AWS, OCI um and GCP coming into the mix but still traditional hosting is still being ran on C panel. Uh roughly 7% of the world's internet still today is running on C panel. Um hands up if you know what lamp means. Awesome. So lampstack is a traditional hosting platform which is Linux, Apache, MySQL and PHP. Um you have like if you look at WordPress, Magenta, Jumla, they all run on that platform and uh its main competitor in the market still today is Paskque which is uh a Windows variant of a hosting platform. Again has a significant uh foothold but not as big as C panel.

So hackers are no longer hacking in but logging in. This is a common thing that we're seeing across all industries. What we are noticing is the skill level of a hacker is dropping. If we go back to 20 years, I'm 43 in a week and a bit. If I go back to when I was 20, to be an elite hacker, to be able to pull off anything gnarly like Captain Gibson, if everyone knows that reference, uh, you need to have OS internals, you need to know networking, you need to know scripting, you'll need to have a lot of experience, and that we're not seeing in today's hackers. What we're seeing is, do you have a credit card? Do you have

some crypto? because there's a lot of hackers out there who are making services to allow you to purchase and do these attacks. So, we are seeing in the hosting industry, script kitties just coming along, buying a kit offline and putting on someone's shared hosting account and testing it out. So, I'm not the best with statistics. So, I actually wrote these down. Uh, but the notable hacks over the past 5 years was Colonial Pipeline. Um the group behind that was uh Dark Side which is a Russian based hacking group. The initial access for them was attacking using a inactive VPN account that they managed to get a stolen credential for. Uh the date happened in uh 2021 and the

outcome was 75 BTC Bitcoin was paid to gain access back to Colonial Pipeline. So for people who don't remember that attack that shut down the east coast of America almost created a nation state in like a national incident where Russia and America almost went people would say go to war but it did make a massive thing because it did cut off fuel supply to the east coast. We have uh CNA financial group. The group behind this is unknown. Um the initial access was breached uh was reported by a fake browser update from a legitimate website. When that browser update was installed, it ran a key logger, grabbed credentials out of your browser, and we hear this all the time, info steelers,

and that's what it did. Uh what we saw uh what they saw was that the the credential was stolen. that was used to log into their network. And the outcome for them was CNA had to pay $40 million in ransom just to get access to their network because they were locked out. They could not do business. And as you know, as especially in the financial sector, if you're not doing business, you're losing money straight away. Um, we have Medy Bank. Who knows what happened to Medybank? Hands up. So Medy Bank got hacked a couple years ago. It's all over the news. Real again. another Russia. You'll see there's a very common theme here. Russia likes

hacking western companies but not uh eastern companies. Um they logged in again stolen credential bought on a a brokerage site and the account they logged into was a account that did not have MFA on it. They got into the email account and they started looking at uh what they could do. they started sending out additional emails and start fishing data. Uh we have a very Australia has a very strong guidelines on not paying ransom and med stayed by that. What Reval did or evil however you want to say it started releasing data. They started with something very easy. Let's h say who has alcohol dependencies. Let's put that out there. No, let's get a little bit more CDI who

has had a an abortion to the point the last thing I dropped to try and push that money and all they was asking was $10 million and their argument and this didn't did not get publicized. I actually read the emails cuz I actually had access to the breaches was they asked for one million $1 per customer. So you can imagine if the media got hold of that and a normal person will go my data is only worth $1. Like why don't you just pay the I'll pay you the dollar. I don't want my data released. The last thing they released HIV patients who are positive and it's something that no one wants out there. And finally, Uber.

Uber is the initial access for social engineering that caused an engineer to accept an M MFA token. Uh, hands up. Who knows what MFA bombing is? Uh, it's the effect of sending multiple MFA requests to the point where you're overloaded and you're like, just just you just shut up. And they accepted that, right? And what that done for um they got access now Uber was smart. They come out and said publicly no data was stolen. Again no one also came out and said hey we got Uber's data. So who's telling the truth? Okay so some statistics. This is taken from uh Flashoint's report. One in five breaches are related to stolen credentials. Another another statistic

they gave us was 32 billion credentials where compromised in 2024 alone. We're seeing an increase of that happening over and over. And then this is going to increase 10 times over the next couple years. And you will see this like I said uh surge of 160% since last year. And finally uh 75% of stolen credentials came from information still. Woohoo. makes my talk relevant. The risks and impacts of stolen credentials. So, uh long dwell time uh on resetting passwords. The average of a password being detected was 90 days and that's going to get kind of quicker. But what we are seeing in the market is if you're not monitoring for your own passwords or your own access, how are you going to

find out? is someone's going to go, "Hey, hey, did you get hacked? Oh, I found your email." I don't think so, you know. So, being proactive on like using uh have I been porned? You know, using other threat intelligence out there, scanning your your email addresses looking for that stuff. The other thing is with info stealers, people are not actually publicizing these all the way to the dark web. And we'll we'll uh to sorry, those those sites because there's just so much data. And we'll dive into a screenshot of what it looks like. undetected access. Um, if you caught Adam Cass's talk earlier talking about uh home proxies, we are seeing this day in day out.

What hackers will do and again there's a in the next slides you'll see there is a file that says user information. We well info are collecting your location your to the pinpoint of your city you're in. So hands up who knows what geo fencing is. So the idea of geo fencing is you are when you log in you are expected to be in a certain location. So let's say I log into Sydney then all of a sudden I jump on a VPN and log into Singapore. How can I travel from Sydney to Singapore in 2 seconds? Can't so geo fencing the idea is you know you're staying within it. So hackers know this and what they'll do is they'll use home

proxies to mimic your behavior. They'll log in so it becomes undetected. It just looks like you logging in and you know how many times you use your mobile phone, you jump on, you're at work, you jump in your home Wi-Fi, your work Wi-Fi, you leave, you want to do some more work, you're on the train, so you connect to your mobile hotspot, you're working on a big project, you're at home, you have to jump back onto Wi-Fi. So you've just done three IP changes. You've gone from your office to your mobile phone now to your home. So Joff fencing would look at that and go, "Well, it's all in the same location, so it's fine." So a threat actor, I see

Robbie's in Sydney. I'm going to use a home proxy in Sydney and hopefully nothing gets picked up. And again, weaponizing of stolen credentials and that's what today's talk is about. So uh info steelers are the new uh credential ste info steelers or credential stealers are the new hackers gold mine. Like I said the skill level is dropping. You just need to pay a small fee to get access to these logs. And as long as you know how to kind of code a little bit, you can start writing your own password and start looking for certain credentials like in this uh this is from Daisy logs and as you can see we have passwords we have computer info like I said tracking

where you are outlook accounts outlook cookies so you don't even need a username and password you've already authenticated you're in Sydney I just take your cookie use a home proxy log into your account down and again your passwords and crypto wallet. Lumis dealer is known for taking screenshots. So what they're trying to do is get you in compromising situations. So let's say you're at home, you you you get dressed, then I can blackmail you, but I got a photo of you, you know, in in compromising position. Again, it takes all your files, too. It downloads your files, stores them on the web, and all your text documents. So, let's say you're working on a very important

project and you're a law firm and you're doing from home and all of a sudden I get that file and I see that there's crypto addresses in there because it's a crypto scam that's happened. I'm going to log in and steal all that crypto before you even know, right? And this is the type of stuff we have seen in the industry. So how credentials are being created, what we're seeing is still Telegram is one of the main sites and the example I've got up here. Screenshots are terrible. I'm sorry. Um Fociety uh hands out free C uh C panel username and passwords. Um breach forums used to be a really popular site, but now breach

forums does exist thanks to the FBI. And what we are seeing is another website called leapbase.la, LA, which is a surface web website, ran out of Russia. Very big disclaimer on site. Do not post anything that is Russian. Like I said earlier, Russians are all happy about hacking the western countries. Leave eastern alone. So we are seeing that uh and in my example, I wish it was a little bit better. But as you can see 150 C panel uh more C panel uh MX log C panel log so and these are you don't need to like some of you don't need to pay a subscription for you just log in and download them right sometimes

they they claim to be vetted sometimes they are not so today uh I've set up a VPS these are legitimate credentials by the way these are my credentials so yes bad sex for me but I'm just going to give you an example of how the data is being shared on the dark web, right? Can anyone see a a a a kind of common theme? It's all about cats, right? So yes, um simply the domain name C panel or sometimes you'll use a port 2083 and then a username and password. So we'll go into the first step of validating your credential. That's terrible. It looked good on my computer. Okay. So what we're trying to do in with Burpuite, we're going to try

and attempt to log in. So we're taking a credential and you're assuming it's good, right? So we jump open up Burpswuite which is a proxy tool allows us to interact and enter and collect those data. We hit the end point being login question mark login only equals 1 and the username and password is in plain text again when it's sent over the wire it's it's encrypted but because you're using proxying your intercepting on your computer it's unencrypted so you can see how the data looks and this is going to help us when we start scripting our program so there we go awesome that's better you can that. Okay, so we successfully logged in. Woohoo. Um, what we are seeing is we are getting

the CP session token which is a session token and we also out of the uh the cookies we pull out our session cookie. It's very important. C panel operates in a certain way where there is two keys to turn like you know nuclear power submarine. You have to turn both of them to make work. Um you need both to work right to access any endpoint. If you don't have them, you just would fail. And we'll go through uh examples of of how we implement this. So, taking the CP sesh and the cookie, we can start interacting with the the uh website and with C panel. So, now let's script it. Awesome. And that that's a good screenshot. It looks

good. Okay. So, what we're going to do, this is written in Py. Who knows Python? Who knows a bit of Python? Awesome. So, I'm not going to lose people. Great. We import our libraries. We're using requests. The reason why we use requests, it allows us to interact with the web browser. What's really interesting is uh we use JSON because again we need to send data. The data that C panel expects is in JSON form. We're going also use CSV because later on we're going to read our database of our stolen credentials. Uh URL lib to do our D. We have random because we generating a password and again uh we import strings right because we're the thr actor because

we're taking on the thr actors behavior. Now we have our fishing payload that we set up called fish.zip. We want to create an email address called tech support because again we're going to launch a fishing account attack against our uh our bank feline bank. another cat reference. And so we want text support, right? People are not going to pay attention to the email address sometimes. Um our fish name is feline bank and the index file. So I set up a small random um definition. And the reason why that's to just generate a new password every time I read it. I don't need to reuse that part that that big chunk of code. I can just call the

definition. And um for our cases in this case I set the username, password, domain and user agent. Okay for the Python developers why are we setting a user agent? Who's used request before? Hands up. So if you don't use requests when it gets triggered it shows up as Python Python requests. So as a blue teamer, you're looking for anything that says Python request and you know it's a bot or it's a script and you can go no not allowing my file. So we change a user agent to hide our uh persistence. Uh so we start running our web request again. We're setting our user agent so we can spoof the user agent. Uh we're sending our payload. Like I said, we're

using Python uh we're using JSON and we send the user and the password as user and password and we're simply doing a post request here and we're calling the endpoint like we said earlier which is login question mark login equals only uh sorry underscore only equals 1. We need to set our headers. We need to send our data payload and we verify the SSL. And the reason why we're verifying the SSL is you don't want your script to fail if their SSL has expired because if that happens then it might be good credentials and you don't hack that the account. So we we skip validating the SSL. What's uh sorry I saw a screenshot but

you see the same data that we got from the Burp suite. So you know that we're logging in through our script. Uh now we're building our authentication, right? So we we kind of start cutting around the data here. Um as you can see we call JSON to import the data from the response and then we start carving it out. So we are getting the security token out of the JSON and again we're taking out the CP session cookies. Right? For simplicity sake, and I've done this for all the all the steps, I printed out the outcome so you can see what we're getting. So again, we get our CP session ID and we get our

cookie with uh CP session equals. So now, like I said, we want to automate this. Now we know we can log in and we able to log in. So how do we take a single login to be able to loop it? So what we're going to do is we're going to use open and import our CSV. So we read credentials adds you know creds and we open up a uh CSV reader and we start reading the rows right. So simply domain username and password and we start passing that data. So configuring our endpoints to and building our uh authorized URL. Um has it come up? There we go. Um, we still do a bit more splitting

because we need to uh cut out the CP session cookie and replace the semicolon with a blank space. And we again we do a split and we split the equals. The reason why we need to convert that CP session and the session token uh the session cookie into a JSON format and the eas way is to just split it. There's probably other ways to do it, but for me, this is the way I like doing it. Um and again as you can see we call CP session and then we call the token. The authorized URL is simply C panel URL. So the URL plus the security token that we collected. And now for simplicity sake we set up

some endpoints and uh we got ad pop to add our email address. We got deploy fish and we got uh persistence. Right. So, so again we're going to create our email address because we're we're that's what we want to do and we're going to upload our zip file to extract on that server and again uh we need to create a token and uh we'll go through that uh when I come to that slide. So building our mailbox payload uh it's very straightforward very similar to what we did uh we start stripping array uh elements like the port or the / c panel and we take out the https what we want is just the domain name

itself and so we get the domain name again uh the the function we set up earlier I call random gen to get the password and we do email address domain email password and quota and send welcome email. We set it to zero. There's no use of us sending a welcome email to an email that's we setting up for fishing. So, we turn that off. And when we run the script, um, one thing you're going to notice in the post request compared to the first post request, we're now including cookies because that cookie what we had, if we don't include it, it's going to tell us we're unauthorized. Remember the two keys? So, this is our way that we

implement the two key turn. So we call our cookies and head with the net data and printing the response we get told hey uh they replace the at with a plus but tech support at fast and the fury the furry and there was no errors and now you got an email address set up. So setting up the fishing payload very sim similar um I put a a time sleeper in that for Python developers. Why am I doing that? Yeah. And again, uh, to if you're looking at quick post requests, you can tell it's a bot. If I spread them out every 1 minute, especially on a shared server, I'm going to blend in with additional traffic.

So, we just for simplicity sake, I used 2 seconds. Public HTML in C panel is your normal place where you store all your files. So, we set that as our path. uh we call our path and we set overwrite to be one. Reason why we do that is let's say we hack a site and then gets taken down. Our fishing page stays up but feline bank updated their uh login portal. We want to stay relevant. So we make a new fishing page and we launch it again. So we're going to override our old fishing page to upload the new fishing page. Again um we call our endpoint and we read a binary file. So we read

the zip as a binary and that's the easiest way for us to transmit it over the the web and we do a response and the data we get told and is it's a very long string so I had to cut it in half is we get told it's been uploaded there's no errors and that it succeeded to upload our zip. So our zip's there now the next step is to extract our zip. So C panel C panel had uh when I was writing this I'm like how can I do this? C panel doesn't not does not seem to have a web interface that allows me to do this like I was trying to replicate the same way as I do it as a real person

and it wouldn't work and so as a good researcher you dive down the documentation and I realized JSON API is the way that we're going to do it. So we use JSON API we call the fi uh file man and the file operation we set a file list to one multiiform to one the operation is extract the undefi metadata is undefined um again I do understand why they want metadata but I I guess if you're uploading legitimate files you probably want to especially if you're doing automated you probably want to add some metadata to say why you uploaded the file but in our case we don't uh the source files is our path and our

payload load and the destination is dot slash. So for Linux, that's going to be the directory we're in. And as you recall, we set public_html as our default directory. So now this gets us to building up assistance. So hypothetical, I hacked your server. What's your first thing you got to do? Rotate a password right first thing is you notice there's a fishing page I'm going to go well clearly delete files and rotate your password right so what we are seeing in the industry is people are now creating API tokens in cunnel not many people know about this I only discovered this this year through another investigation that we saw uh botnet coming in and we'll change the password and they're

still operating the botnet I'm like how are they doing this and we realize they're actually calling the API and the API was just a fourdigit code a name and it's very simple all we have to do is call the endpoint and say the name is going to be whatever we want so I simplicity I said test again we send it off send the cookies and when we uh go uh print it out we get our our token so my script if I was to change it I can say okay does the login No, let's try the API key. If it works, I can redeploy my uh my fishing and my script. And now we execute the script. So,

ideally, I wrote it so it had a nice little display that prints out that people can understand what's going on. As you can see, we've logged in successfully. It tells us the domain we logged into. We've created our email address. We've set up our fishing campaign from Pland Bank and now we have our API token. What we can do is extract that into our CSV and then we launch further attacks. So, you know, okay, so we set up tech support so we can do tech support scams. Hey, you know your company or we could do sales. Hey, we updated our credit card, you know, start paying bills into this account now to all the vendors.

So, we that's what we do here. And sorry now how did you detect this behavior? CNO is really good at uh logging everything right but you need to be admin. You can't access this without admin permissions. Come on slide. There we go. C panel user local cPanel access logs is going to be your friend as a blue teamer. What that's going to give you is all the access logs that's going to happen to C on all your login, all your successful, all your um and and all the behavior. And right now, as you can see on the screen, it's only post requests. And that is naughty. You see that, you should scream and go, reset that

password. That account's been compromised. It's a bot. But people might go, but it's a legitimate user. So, why would you think that's a bot even using a legitimate uh user agent? Because it's only post requests. A normal user would have a lot of get requests. And we'll get into and I'll show you a screenshot now of what a normal user would look like that's doing the same communication. So, it's too quick for the uh slide. Yeah, there's a lot of get requests. Yeah. Hey, get request. As you can see, same behavior, but a lot more traffic. Who knows what a false flag is? Have you heard false flags? So as a malicious actor what we want to do is if

you look at a lot of these uh resources they are calling just a random resource in c panel. So we can start adding these into our scripts giving force flags that hey we are a legitimate user and hide it within our po post requests again. So when you start searching the username, even if we've done it over a 5 hour period to do our whole attack, all you need to do is just do a GP against the username and we'll have all that post request and then go. So by adding false flags as a threat actor, I know I shouldn't be telling you this, but adding false flags as threat actor um you're going to stay undetected. Um and

and we do see this uh being used in code. By the way, all these examples I'm giving you, I've seen in different types of attacks in our platform. Um we've seen people setting up email addresses. Uh we have developed internal tools to all track this now and look at behavior and doing behavioral um detections on this type of behavior. So we're coming to the end of my talk. How can we protect ourselves from info steelers? Um repirus. Uh info steelers are now being picked up by a lot of antiviruses. What we're seeing is uh with the advent of AI, everyone loves AI. Um malware is being refactored on a uh within 12 hours. If you went back 5

years ago, not even 5 years ago, two years ago for a ransomware vendor to write new ransomware, it was 5 to seven days. We are seeing now ransomware being refactored every 12 hours. with AI getting more quicker and more intelligent, we're going to see that changing very quickly and especially with a quantum computer, um I we need to stay ahead of the game and we need to uh build on that as the threat actors are doing because they're doing it before us. Again, good password hygiene. Um I had a discussion with uh I'm doing a talk tomorrow on uh threat hunting and I got into discussion with my colleagues about good password hygiene and the

question that came up is if you have a password reset every 30 days what's the odds of your users are going to go fluffy dog number one next month fluffy dog number two number three number four right so what you need to do especially in orgs is have it set up that you don't have a rule that you can't use similar words. It has to be changed. Again, enforce using past phrases, not pass words. Hands up. Who knows what a passphrase is? Awesome. Past phrase. Simply four or five different words that has some meaning to you that you can string together. Makes it very hard for hackers to brute force. While your standard 8 to

16 bit passwords can be cracked these days. two-factor authentication or multiffactor authentication. Um recommend installing it everywhere. Again, uh with C panel, you could do the same thing and we look we we kind of do that in in certain areas. Um what it does is you try to do this exact. It's not going to work. It's not going to work at all. and a password manager. Yes, a lot of password managers like Last Pass and you know a lot of them have been hacked over time but I think and this is a very kind of controversial uh comment when a a password company gets hacked they know they really screwed the pooch because who's going to trust them?

So what we're seeing now is they are spending more money in building a better project, right? So I I still use Last Pass myself. I'm happy to admit that even though they've been compromised twice because I've had talks with the developers and they've outlined all the changes they made and if you look at what they've done 5 years ago to what they've done now, their R&D has increased like 10fold because they know what's happened to them and they are trying to build that reputation back. And that is my pretty face and my QR code. Thank you for listening to me talk. Does anyone have questions?

Yes. >> So, what about your recommendations to protect the C panel service? >> Um, two factor authentication. Like I said, if you enable two factor on every C panel account, my attack won't work because it's going to ask you to reauthenticate yourself. Um, again, uh, making sure you have AV. There is a lot of AV for Linux now and you can install that which can kind of pick this up and again looking at behavior doing wly spot checks of your logs looking for Python requests looking for behavior looking for users who only doing B uh post requests because that's going to show potentially behavior. Yes, >> sorry that's all the time we have. >> We could talk outside. Apologies. Can

>> we have a huge round of applause?