Hunting the Bug Hunters

before starting my session to ask a question how many of you are familiar with the name lar L not you lar L yeah of course anyone who have before used the cracked perb suet version they definitely know what who is uh Larry L so uh today I'll be speaking about like hunting the hunters uh a research that I did for one year already on the dark web market for which we able to identify compromised employees and clients of companies basically and for that I focused only today on the hunting platforms like who is using hacker one and his device is compromised it's going to be interesting okay the company that I work for at the moment is Visa but I do have

also my own startup which is called Dark entry you see here and this is the agenda for today uh before Visa I was working at deoe managing their team at the moment I'm managing the cyber security team at Visa in the Netherlands before that I was managing the cyber security team also at deot and before that I was a Tash team member at hakar one and so other okay so Uber hack the most famous One how was Uber hacked so um an employee of uber on his corporate laptop like the Uber laptop he was logged into Google Chrome he opens Google Chrome he log into his Gmail account once you do that Google Chrome will

start syncing all your passwords to your Gmail account so any uh Uber related corber credentials will be sent to your personal Gmail account later on same employee from his Android Android device he was logged into also his Gmail account so all the passwords from the Android device was also synced to the same Gmail account that user on his home laptop he download a cracked game like a game with a key generator well a compromised key gener erator so he got infected his machine got compromised with a malware basically that malware steals all the information from the device including the passwords stored in the browser or also sync it on the Gmail account which eventually means he was

able to steal Uber credentials from the personal laptop of the employee that's the scenario we are trying to explain here and that's the scenario we are hopefully trying to help the companies avoid okay okay when I say A malware stole uh data from the device what type of data and uh I'm going of course to show some of the files but uh we refer to this as log files uh normally speaking when you talk to any someone who works in the cyber security a log is basically something or some data produced by software right but in the info Stealers or the malware's uh term a log would mean a zip file or a rare file

that contains all the stolen data I'm not sure if someone is actually raising the hand but yeah a log in the info stealer World means like a zip file or a rare file that contains all the data stolen from a device so when I say we have 10,000 logs that means we have data from 10,000 compromised machine or laptop in that sense okay when I say data what do we mean by data here is the demonstration that shows by the way uh this is similar to um you see the screen real right yeah so this is similar to what was actually stolen from the employee of uber um this is the format of red line it's one of

the most famous info Stealers the way or the syntax they name the malware uh the the log file you see the first couple of uh letters EG stands for the country Egypt in that case and the other uh random generated hash here this is the hardware IDE of the device and then the infection date uh April 23 like when this device was compromised using that malware uh but here you can see like lots of important information including for example a screenshot of the of the laptop uh when it was compromised this is screenshot is not taken by me it is taken by the malware itself so once the malware infects the machine it takes a

screenshot from the machine for which you can easily tell he was actually browsing to that website here Salo aio.com he was downloading a file called file. 7D uh once he downloaded that software he executed it he got infected once he got infected a screenshot was taken from the device but most importantly all the passwords of that user was also stolen so if I double click here you see this is a text file from the info stealer exactly what happened with Uber basically the info stealer is called Red Line in that case and then of course I reducted the the the usern names but you can see all the Facebook accounts for example all the Gmail accounts but most importantly it

will include also the corporate accounts okay uh good question that I hear most of the time okay we we use two Vector Authentication it's useless why because the machine itself is compromised so as an attacker who have access to machine I can just wait for you to authenticate take the cookies from your browser which actually happen happened here you could see like the cookies is here yeah the cookies are here sorry and then from the cookies you can just reuse the same uh cookies and then you are logged in on behalf of that user so unfortunately to Vector authentication M TLS authentication whatever you name it it's unfortunately using in that in that sense because the

machine itself is compromised okay that's one thing but also we can tell you up to the level of where the malware is actually on the machine which helps companies actually during the uh investigation because you don't have to even do instant um response in in a wide range of activities you already know where the malware is on which is the one you can see here uh named file location and then the exe file uh the other one important part as well which if we prow through through the purchase list you can do a quick analysis of how this uh execution or malware execution happened I'll scroll a bit down here yeah here for example you

see uh there was um nxe file that was executed from the temp folder here and then a chain of executables were executed later on moved to minor policy and then later on moved to the temp folder 1 2 3 32 1 which at the end executed the final uh Red Line in foser you see here the previous ones are just loaders and loaders means it's not the actual malware it's just a very tiny exe file that would download and execute something else okay so these are the data we can uh basically access for companies or also employees uh if they show any record in our database which we are going to demonstrate today yeah so how

do we get access to this data like so millions of devices gets compromised on a yearly basis the hackers would have uh the log files again like the log files in the term of info Stealers which are Z files containing stallen credentials or stolen files as well once the hackers have access to this they either publish part of it on telegram Discord xss dois and those other websites or they also have their own exclusive markets or third part is that they are uh sorry third case is that they're searching for example for some huers who can help them cash out money for example the web sorry the folder that I showed you in the browser uh passwords you saw PayPal or

something like this so they would be asking for help from other hackers can you cash out money from PayPal if yes come in help us you take 40% we take 60% so there are multiple ways but uh the research we did for nine months is that we are tried to identify vulnerabilities in the command and control servers of the top three info Stealers this is why we were able to access exclusive looks that other uh I would say vendors doesn't have access to and this is why we called it hunting the hunter because okay we wait for the hackers to hack millions of devices we go hack the hacker ser take the ls from there

basically that's what we are going to see now and of course because we are the good guys hopefully we go and report to the companies who was compromised for example because we have access at the moment to 425 million compromised laptop so we can tell Vodafone for example home of the employees at Vodafone got his laptop compromised home of the employees at I don't know Bank X got his employees compromised up to the level as I said of where the malware is on the machine itself okay so to uh demonstrate this here in besides Ahmed Abad I decided to do the research on the top uh 10 bug Bounty platforms uh telling you at the moment

like uh how many users from each platform was compromised how many of them were like employees of the of the of the company how many were researchers which are still huers as well on these platforms starting with the most famous One hacker one okay so this is the number we have right now 4,800 37 username and password that we can use to login at hacker one think about it of like if we use one single account that one single account could have reported multiple Zer days to hacker one right so using these more than yeah almost 5,000 accounts we can gain access to I don't know thousands of reports maybe which could also contain zero days right

that's one example but uh most importantly and I have to also say the disclaimer here this is not hacker one being compromised these are the Searchers themselves getting their laptop compromis I have to make that disclaimer very clear okay and the most uh most used password is password at 1 to three four lazy hackers yeah which is repeated 63 times so now you know my password already yeah but anyway so out of these uh thousands of numbers we have 12 hacker one employee uh By the way when we filtered this out we removed any domains domain that's called we are hacker one because I know this is used for Searchers so we when we say it's an

employee it it is always an email at hakar itself of course without a plus as well okay so statistics by country we have more than 1,000 uh laptop compromis from India yay okay I'm just kidding yeah you see also Egypt is there so we're good okay and the other countries here we show the top six countries uh on the other hand we show here the statistics yearly based um starting uh we have logs by the way from 2016 till the moment this is why why you see sometimes 2018 because we can historically track to the company we can historically track when the employees go or actually customers as well was compromised uh this is a statistics per

year and per month uh and per month for each company uh next one oh still India is on the top nice okay so total number for uh bu Crow was 719 uh out of them there was like out of these were actually three employees uh top info stealer was red line uh password I'm not sure if that's a phone number or no try to call this guy maybe a sounds familiar name to me and these are the unique host names and when we say unique host names these are the host names do you recognize the password already I hope it's not your password so when we say unique uh host names these are the unique the host names at or do

uh sorry do uh the company we are targeting at the moment which is in this case uh bu croud of course you can also see the statistics here Bantry and uh month and year as well um I will try to save time but please feel free to stop me sinak yeah syak was actually the most uh I would say fascinating one of course you could see multiple uh subdomains here like sag1 Logan this is the corporate Logan by the way do we have anyone from sag here he I U I have been told that we have uh S A stuff here but anyway uh we see the subdomains or the host names that they have uniquely like

those compromised users can exit and finally Egypt is on the top right now yay okay most use password s act at then for that for number uh the most info stealer uh that infected these machines is Vidar and why I say it's very uh fascinating for S I would say uh well fascinating if that's the right word is because we have 21 compromised employee I thought this might be something wrong it it couldn't be possible that we have 2 uh 21 uh employee compromised this is why I have this screenshot here which actually proves indeed that most of it was indeed actual employees so here this this is the just one of the tables that

we have of course I uh corupt the rest of the table but we have the password infection date malware type everything you can see here s act Logan the second one in the row and then the username was something at sag.com so this is actual employee trying to log into a corporate domain name for S uh of course when we say a researcher get compromise then you have access to the the reports that he submitted but then when you compromise an actual employee of syak then you would have access to all the researchers reports hopefully yeah hopefully not actually yeah and then the other websites you see here these were testing accounts but still sinak is doing a major mistake I would

say because you you could see here for example the the last one it's called pin tester something no MFA so it was intentionally created vulnerable to be a testing account on one of the uh syac uh customers portal but this is why you see why did why did I say it's a major mistake because For hucker one when they do testing when they have a testing environment they create a separate domain called we are hacker one you know when you see a user for for we are Huer one this is not an actual hucker one stuff but here if you see an email that's at it's yeah you mostly think it's an employee of Sak okay

detectify uh yeah it's pretty famous I think and this is the most used password uh vdar so far repeated password is three times and the number of users compromised 1004 sorry 114 uh CES are there year month yes we hack and of course again another lazy password pass at one to three sand I know this is your password I told you I'll show your password yeah uh the most uh info stealer that they were infected with is Aura info stealer and of course the number is 117 it's still a huge number if it's I mean even if it's like 10 users only or 10 researchers only is still a large number yeah yusa so uh

yusa we have this here which you could see connect yusa AB developers yusa Christmas Jordan CTF but the most important one I would say is developer Thea because yusa because we have two employees compromised and if one of them is actually accessing the developer that yusha that means you have access mostly to the search Cod or something of yusa in that case this I think bug b is is a bug Bounty platform in India again I have to stress on the fact that this is uh it's not B bug Bas being compromised is the users who use who uses bug Bas are compromised okay only 20 4 user in that case again I have to stress on that

all the time yeah the most used password is Royal tmen something at one to3 and actually because it was repeated one one time but why we say it's most most reused because it was the latest result in the record like the most updated one okay hacking proof uh I'm not sure he was talking who yeah you were talking to me about but for that yeah but anyway so we have also 53 security researcher mostly infected with red line and the best is Abu 998 that was repeated two times uh and again also by the way when when we say India comes first is also because of the large number of researchers that are coming from India

it doesn't have to be any harmful description right zeroc copter is a Netherlands based uh uh bu Bounty platform and we can also because also it's not that much famous they don't have D that much base of researchers but still uh we have 25 records going out from Zer copter integrity and and the full stack 2020 at that's the most used password uh of the researchers we have 3335 still a large number for integrity uh by the way um if we have any representative for any of these companies in here please feel free to reach out I will be more than happy to share the results we have the actual results the actual bestword we

have okay how are hackers being hacked in um in the sense of uh the the cracked uh software that was actually one reason of why you saw multiple uh hackers like for example for hacker one it was almostly 5,000 security researchers get compromised right but how do they get hacked of course Larry Lou Dr farer and those of people who publish the crack software that's one source but another source would be for example cracked games like if you download a key generator if you download a cheat engine for certain game for example these are always like 100% uh malous always if it's if you get something for free you are the product it's a known fact Tor

websites as well most mostly for movies games again like games mostly um yeah we talked about the cheat engines key generators fake proof of Concepts I have seen this for example uh the North Korean actors targeting uh security researchers and developers they do publish fake PC proof of concept code when there's a vulnerability they publish an actual exploit for the vulnerability on GitHub but it's a modulized it's modulized means once you execute that python code or something it to will connect to the hacker server download exe file execute it on your machine por websites yes that's the most common reason hackers you do always uh wow whatever okay tips to stay safe uh by the way uh when I say tips to stay

safe I still insist that these are only tips because uh security is a layers right you cannot do one thing to secure the whole company it's defense in depth this is how they call it it's layers of security you add to factor authentication you add single sign on for example you create a hard password policy for the users you train your employees for awareness it's it's layers this is why I call it tips because it would be impossible to discuss all the ways to secure your employees from such attacks we explained here but this is why I decided to only give high level tips uh and the most important part I would say is is to train your employees

training your employees or creating awareness environment would actually allow your in your employees to be more cautious when they browse websites and when I say websites of course I I might mean website like this one but uh that's that's part of it but mostly uh when they download cracked games um an employee would be thinking like yeah that's my personal laptop I'm free yes you're free but in the era of pandemic like Corona everyone had a VPN access right so if his com uh uh home laptop go compromised with him having access to the corporate laptop through so to the corporate Network through the VPN that means the hacker would also have the same level of access although

it's a personal computer but it's actually even more risky why because on the corporate laptop the company would have so team monitoring 24x7 they have EDR they have antivirus data lose prevention everything however on the personal laptop of the employee the hacker is able to execute any tool he want no monitoring nothing and he still have access to the network through the VPN right so it's actually more uh risky I would say okay one good question why don't you use this data in bug bti hunting right I I see it in your eyes I know I know with did we did we uh were able to uh hack into one of uh Facebook employees we were able to reuse his

credential at facebook.com of course to log to am.com portal which was actually yeah employees portal it was very important one I wish I can show you the screen but we have uh some friends here who works at Facebook so I cannot show you the screenshot but anyway uh it actually differs how the companies are treating this uh when we initially reported this to Facebook they thought that this is just a leaked username and password online no it's it's not it's a compromised laptop you saw the files this is similar to how also Uber was hacked this is similar to how we had access to uh the Facebook emplo we actually even had his cookies so when

Facebook told us in a previous response hey we have to factor authentication we showing them that we have the cookies we were able to look and re using the cookies not even the username and password so if they say here as they said we were able while will compromise credential which one yes following your report we have taken the necessary steps to rotate these like the only changes the password think about it if a malware is running on the machine you change the password the malware is still running on the machine he will still get the new password so this is where the confusion happened we are not a service like have I been bored or something when link it

didn't get hacked have I been Bor say like hey you have an employee who was logged in or registered at LinkedIn and his password was leaked what should I do it's LinkedIn right but what if I tell you your employee laptop is compromised that's a different case but anyway Facebook still insisted that they are not paying for this and this is why they say it's not eligible however for uh another company here like for example United Airlines United Airlines like the idea that we were able to report to them a compromised employee but they said we have a product in place that do dark C monitoring again all the companies including have I been born they said we

do bbon sorry we do dark C monitoring but this is not dark C monitoring anyway we told them good for you we are still able able to catch this compromised laptop of an employee six days later we rted to them two more compromised employees for which we were use able to reuse their credentials to access the flight management system and that's why they sent us this nice message in yellow here we have multiple products and services that alert us when there are united credentials showing up on the dark web or other preaches you found these credentials before any of those Souls did so we like the feedback this is why we use it also on the screen uh

for example for Amazon they paid us $100 yeah but the this one here we had access to Ford Ford the the car company I think it's a famous one uh this one was a critical one why because you you could see here using this compromised employee we were able to he was a div Ops employe which means he had access to all the servers of Ford like literally even the documents of how they do the the the whole process for div Ops even for Azure I think it was mentioned here somewhere there yeah and this is why they paid for this $5,000 because they consider this as a critical thing so yeah you could see the

companies are dealing with this differently some says like sorry we don't pay some others says like good for you we are getting you we are going to give you some free miles some gives you $100 some gives you 5K it it really depends right uh okay now the question is what if I work at a company here uh in India or I work at a bank or a mobile operator and I want to know if you have any results or records for my company are any of my employees compromised please go to ww. dark entry. net which is our website just request the demo of course you can search your company here see if we have a record for it and then you can

request demo and we will always be happy to provide you with the data only if you are able to use an email address at that domain for example if you want to see the usernames and password of vone employees then you have to have an email at vodafone.com that's one thing but you also must be an authorized person uh for example what if you are a huger like CIB who hacked an email at vodafone.com and you are coming to ask us for the results right this is why you give you uh we give you a DNS text record we ask you to add that uh in the domain register like Go Daddy or name CH or whatever once

you're able to do this we are 100% sure you are like really authorized person to see the results we'll be more than happy to share it with you but yeah please browse the website check it also request for demo you're always welcome I am done and these are my contact details and this is a message that you should not really relate to your hopefully uh but yeah feel free to ask your questions sir uh which two website do you recommend for download of uh CRA tools crack tools means cra X off first okay okay this is going beyond what I expected [Laughter] okay it's like asking which out of these forbidden things could be Halal it it

just doesn't make any sense okay I always say avoid cracked software because again if someone is gting you giving you something for free you are the product that's what I can say Sir specifically for uh Bob suit Pro where does that one come from okay maybe because of the light I'm not able to see who is asking sir here only yes for busit pro you recommend two websites for what sorry bsit Pro from from bw.com right or net the official website of course Dr far far and you said H by the way you do not have to download it cracked because BBU can also can already give you three months for free for the professional

product you do not have to do to use a cracked fgure or something you can download the full verion for three uh for three months for free how can we get leak data like you have how can you get what leak data how can you get the league data that you have in your company how can you get the same leak data that I have in my company yes okay uh it's it's like asking the KFC guy how do you you do your receipt right again like you keep asking man hello sir isn't what you are doing like hack uh hacking into laptops without permission is illegal sorry can you raise your hand yes sir please you

are hacking into other people laptop without permission so isn't that illegal in in some sense that's a very good question so the thing is when I show a demonstration here of the results we have for example I said I said we have 5,000 let let me go back to that to go back to that slide yes hacker one when I say for example I have access to 48003 73 uh username and password of researchers on hacker one that sounds scary right but did I ever try any single account the answer is definitely no because we are doing this fully passive what we do is as I explained in the other screenshot is that we monitor

the dark web itself if any of these data were published there and again not in the form of username and password that's lame we only monitor for compromised devices so if we identify any device we archive it into our database basically and then it's searchable to the companies once you see a username and password you are the company please go and verify it but which ones we verified is the ones we uh showed here the ones that have BG Bounty program like for for Facebook yes we tried to log in with the username and password we haven't tried to bypass the two Factor authentication for Ford yes I haven't demonstrated the screen here which we're able to log in

to the thir systems and actually it was a a critical employee I would say because he had access to the um div op uh portal yeah that we try because the company is allowing us to do this they have a bug b program if hacker one for example is having access to the bug is is having a bug Bounty program on their own I would say we are only allowed to test the emails at h.com but not the researchers accounts thank you sir does that answer your question yes sir yes yeah uh maybe another question as well is like when do companies need us when do you come to me like hey what is it you do only if you

need to know whom of your employees and clients are compromised then we can help you but another scenario is like for example a company that's called the Cru that's one of our clients already C was compromised already they do not use our service they were hacked they asked us can you search the dark web and tell us how we were hacked that scenario we can definitely do as well yes yes please go ahead yeah so actually my question was quite similar like that because I wanted to know do we verify the passwords uh before we report it to the organization or do we let the organization do it for them yeah because if I'm understanding

correctly uh I might just have uh an email ID like that like something at the haan.com and and and a random password it might not actually be an account yeah so uh that's still a good question and the answer is once you see any record in our database that means it is 100% uh valid why because we only pared it from the compromised laptop that's what I'm saying so if you see a password that we have we that means we bursted it from the password to text file which means it was actually stolen from the employee himself it's not something on a third party website like uh have I been bonded or dehashed or this websites no it's

something that was actually passed from the employee laptop himself okay and when if for example you are using our service and you see any employee of your company got compromised we will always provide you with a with a plain look file like this file you see here which could also include a screenshot as I explained that demonstrates how that user was hacked it's not only about giving you hey like you have this username and password no it's not like this we tell you the full process we give you the plain look file like this is what was actually stolen including for example you see folder cord the credit cards so it's not just a username

and password no cool that answers the question thank you okay I think uh we are running mostly out of time if you have any questions please feel free to ask me after the session thank you so much