Hacking In The Gray Zone

Hello. So, thank you all for uh coming and uh thank you to the organizers for such a great uh venue and uh uh such a good uh um conference. So, uh today I prepared a talk on hacking in the gray zone. As mentioned uh my name is Mara Hensel and today's talk is a deep dive into the world of uh info steelers malware. Now if I say info steelers uh can you please raise your hand if you know the software and uh uh you've already did some research and know the the vulnerabilities. So I see maybe five five 10%. Yeah. So, I hope this uh this will open some new uh window into uh one

of the cyber threats. Now, uh to all the hackers out there, I'm glad you're you're here. Who's here? A white white hacker, ethical hacker, please raise your hand. So, we got uh we got a few. Not very many, though. I'm uh I was expecting a little bit more. How many gray hat hackers here? Okay, we got some. Yeah, thumbs thumbs up. Um so uh let me let me proceed. So today I've prepared uh uh a few points. So first of all I'll uh talk about myself and uh if there's a little bit of room I'll uh talk about passwords info seekers and uh lessons learned. So who am I? Um yeah well about a year

ago I uh discovered that I'm really technology anarchist. Um, I met this guy. We grew up in Canada about a year ago. We we started discussing. He He's a nonIT guy. So, outside of my uh uh bubble, uh a lot of things to to talk about. Great great discussion. And after about 3 hours, I I really had to go. I I had to go. So, so we said goodbye. And and then then I'm just like sitting there. I had the door closed. You know, it was the Marriott toilet. And and then I hear him come in and and he's talking and he's saying, "Yeah, he's a total uh technology anarchist." And I'm like, "What? Tech? What? I'm an anarchist?

What What does that mean?" Now, I'm a oldfashioned guy, so I still have a dumb dumb phone, so I can check, you know, what what does that mean? When I got home, I went to uh Big Brother Google and Big Brother Open AI and I checked and and I said, "Damn, I am a technology anarchist." You know, somebody who who goes for who wants the decentralization, individual freedoms, privacy, autonomy, uh and and and sharing, passing on on skills. Um the the irony in uh in in in basically this description is my day-to-day job is to do consulting and to centralize. Yeah. I mean with centralization you get the efficiency uh you get the economy, you get the

control. Uh but decentralizing actually gives you some uh um resilience. Yeah. It gives diversity and yes first you centralize and then you decentralize because you get better uh better security that way having everything one way uh well you reach you break that hardware or or get through that software I mean uh the door is door is open. So if we go to definitions uh I I really like the definition of a hacker back from the '90s. Yeah. And and during that time, yes, there was some negativity and and in the media, a hacker, of course, he's the he's the bad guy. But to me, a hacker is somebody who's who's creative, who's uh curious, who's who's obsessive about finding out

how the system works. They they go, they investigate, they they lose time in trying to understand what makes that thing tick. Now, if we talk about hackers, we of course know the black hats. These are the they don't care about ethics. They they're for self-p profofit. They uh are for financial gains. These are the bad guys, right? These this is who who the white hackers fight who who the gray hackers also also sometimes fight. Then then we have the opposite is the white hats who follow the law and who are doing things to uh improve the security who are helping people. And then there's the gray hats who are somewhere in the middle. Uh really I don't believe in a

black and white world, right? We're we're always somewhere in the spectrum of the gray. Maybe what lighter uh or maybe darker. But you know, it's one thing is ethics, the law. The other thing is really are you trying to do some good? Are you trying to uh maybe expose and show um show what is wrong, what needs to be be changed. And as a white hacker, you can't always do that because you have to follow rules and then you don't really get deep too deep inside of really what makes the the the thing uh tick. Now, we don't live only in a gray and white world. Uh we live in a multiolor world. So, I mean there's

other uh types of hackers. We have uh you know the blue blue hacker uh who's the corporate one. We have the vigilante. He's he's no Santa, right? This this is this is, you know, sort of like your Santa nightmare horror uh horror. You know, if if you have the red hacker go after you, he can do some damage to you. And then you also have the newbies. This is the green hats. These are the guys who are uh script kitties who are learning who will only in time will tell if they're on the good side or on the on the bad side. So this is a little bit sort of introduction uh on the background. So

before I go into info steelers, let's uh have a quick look and and discuss about

passwords. Now few few years ago I used to um go into educational system into schools and and start helping them with their cyber security. First I started focusing on uh hardware and and securing the firewall. But later on I discovered that the biggest impact is in educating and in spreading uh the awareness about cyber about the cyber world. And one of the things I uh put together was a little um interactive test where I had a survey and where we discussed the passwords. uh 10 years back I was really thinking about password and you know is is uh uh what are the main pass questions? Yeah. So so you know uh what is the best password to use and and here

we have an example and maybe we can take a quick quick survey. Yeah. Out of these three passwords if you have scholar with an at sign is that better than with an s sh or is milu what what is the best password? So, so who says uh number A is probably the best best password? Please raise your hand. Nobody. Number number B. Who would say B is okay? We got some We got some hands. Thank you. And uh number C. Who's number C? Okay. Yeah, we got the special symbol. We have the longest word to guess the password. Takes takes a lot more. I don't like because you don't necessarily uh always are at a device

with di thetics, right? So you don't have ne necessarily the special characters. Um but really after uh getting to know info steelers I start to ask myself the questions are password still relevant. Is a strong password something that we should be going for? Is the advice have a 16let character password? Is that the right right thing? I think not. For from my perspective a four-letter uh character password is is good enough. You have if you have small letters, big letters, numbers, you have what? 60 62 characters. 62 * 62 * 62 * 62 is is about 15 million different variations. I mean, that's a pretty strong password. And these tests, you can hack a password in, I don't know, in

uh 2 hours if it's only uh six characters and it takes you a day if it's uh uh seven characters. I I I think that's sort of nonsense because this is not real environment, right? This is you know if you have a real environment you have the delay network delay after three tries you get cut off. So so I mean this is sort of uh uh misleading. So anyway so I have this background in in in passwords. I I had my opinions on what is good how frequently changes so on and so forth but I think this all has changed after I got to know a little bit more about uh info steelers. So let's go

and uh talk a little bit about what info steelers uh is. So infest stealers is really a malicious software malware that uh is intended to steal your your information. It takes your passwords, your usernames, it takes your cookies sessions. What it's really after is to get your financials financial. So it wants your credit cards, it wants your uh cryptocurrency wallets, that's what it's after. uh getting your passwords or cookies, that's an extra step to get to uh the uh the finances that they're after. Uh but info steelers, they have other uh information that they take. They for example take a fingerprint of your browser. So uh when somebody knows your credentials uh they also impersonate your browser. This way they

can trick the telemetry uh that you are the user who logged in there you know last week or month before. So they also look at and and they look at the processes that run on your computer. So when they break into your computer they know what uh antivirus you're running. So they know what are the weaknesses of the uh malware. But what is to me uh I guess the scariest part of info stealers is that uh the data that is stolen is sold on illicit markets and and it's spread around. So it's not about one identity stealing it. It's about that identity stealing it and then sending it to to the world for for your data to be

misused. Now uh the info steeler characteristic it's uh in part a Trojan in part it's uh functions as spyware now it's part of the virus family so the grandma grandpa used to be the the worm viruses the cousin is uh ransomware and Trojan is the is the siblings so it's in in this uh in this uh let's say area uh of malicious malware. Uh there's a really good uh web page that gives updates on which uh uh malware is uh uh currently the most active and then taking the the sensitive data. And if you look at the the actual data, you see that info steelers is hitting the top on u let's say a 30-day

category. So you have info steelers on the second place. uh you have uh info steelers on the fifth place as the most uh let's say aggressive viruses or malware that are being uh being

found. Now what gets me is that info stealer has come to a maturity such maturity that now it's being offered as malware as a service. Yeah, there is a actually a whole ecosystem around info steelers where uh you have I guess four four different layers here. You have let's say the developers and and the the bad guys doing uh and the programming the the malware. You have you have basically the whole system of u the virus and and selling and and getting the the logs. You have uh let's say actors who are focus on uh spreading and getting other computers infected and and unfortunately of course have uh uh the uh the victims who who then are uh have to suffer the

consequences of their data being stolen of having a breach of having uh the uh secondary consequences of uh being being attacked. The part is I mean it it it fulfills the market uh marketplace criteria because there's uh innovation uh continuous innovation in the uh software there's uh uh uh special service providers there's for for deployment access brokers you have uh special services to parse the data to to do something with the data and and you have customers. Yeah. and and you you actually even have some more or less benchmark pricing for different types of information. So for a credit card with a pin, a clone, you pay maybe $25 uh to uh uh get a monthly subscription. You can

you can purchase a monthly subscription to info steelers. You maybe pay uh $200 to actually have um uh use of that that malware. So, so the ecosystem uh uh even has uh let's say um uh market shares. Uh here we see how the different uh um info stealer malware how what market share they have. Uh yeah, all the dark ones this is uh um a must service. uh only I guess two of them are owned by specific thread actors that do not uh re resell it and to me what uh uh gets me is that uh uh for example luminina 2C it's the leader because it of its rapid innovation I I love the description in

uh the cyber threat analysis by uh uh recorded future where they actually describe the reasons why Luminina C2 is is the leader. Yes. On one hand, they're very innovative. On the other hand, their competition got taken down. So, so they they they jumped up. Yeah. So, yeah. What is the market share? Oh, picture shrunk down. Doesn't matter. Um, so, uh, what are the infection uh infection routes? So typically as you would expect you of course have leading um uh fishing and uh SMS email campaigns to have you have you click uh about quarter of the infections happen that you go on to the wrong website and then you have a uh maybe drive by download. So this is um a

situation where uh you connect to a website uh your system has some sort of a vulnerability you don't know about it actually uploads itself without you being aware and and now you're stuck with a info steelers virus. Uh little bit less is is actually some fake software you download some something that's cracked and or or or something that uh uh is of unknown source. So, so that's uh uh underneath uh but what scares me uh is is actually the the browser extensions. Yeah. Because this is sort of platform operating system independent. This is really going to your browser grabbing all your passwords and cookies which is at about 10 to 15%. And um and I think this is going to go a

lot more up where we will see the trend in the next years is is really the uh mobile apps. Yeah, right now it's still very much under the control of the uh different uh uh play, Google plays and Apple play so on and so forth. Uh but um yeah, I think that that one will uh will go uh will go definitely up. Another part of uh infostelers is actually the deployment uh infrastructure. So uh here on the uh right we have or left to your side we have the the targets they communicate once they get infected they communicate with some command or control control server. Uh there's typically bunch of control servers uh uh working

beside each other. So you don't have uh let's say uh only one uh um takedown exposure. And this is actually um example from uh for a virus predator uh where predator the way it's set up is all these let's say control servers then go into one uh upstream let's say consolidating server. So you already have a little bit of distance from the victim to uh to the uh black hat. And uh uh but to go further they actually use a jump server to give more distance from the actual uh infection and then they have another uh let's say jump to to actually where they control and and collect the data. Yeah. So um the infrastructure uh in some cases has

grown so that it is very complex uh and sophisticated to actually uh get to uh to the threat uh threat actor. Now if we look at the infections from uh operating system uh perspective then we are uh looking at about 60% for Windows. This makes sense. You have the biggest user base for for Windows. So why develop a virus when nobody is using that specific software? Windows is of course number one target. Uh we are getting more infections in in for example uh Apple products. Yeah. And this can really happen with one or two um in I guess at the start zero day virus. But one virus can really cause and and make the statistics up uh if it

is uh um unfortunately deploy to the to the market. Again I expect that uh uh the mobile phones Apple uh and um uh Android will will go up. Uh and then here you really see the difference between you know a more open uh uh approach to uh uh distributing uh mobile application and and a lot bigger control of of what is actually in the in the shop. I I think uh if I'm not mistaken uh a little while ago uh EU ruled that uh the Apple store will have to let in more competition. So so this number will definitely start going up. the the more the less control Apple has of it. And and good news for all the Linux users. I

mean, if you use Linux, you're you're sort of on the bottom of of being affected. So my story with uh infostelers really uh began when uh I met now my my friend who has a uh darknet database where he basically collects uh uh stolen published uh credentials and and puts it into a database. Now there's some some sources. There's the the the sources your typical LinkedIn and Tinder and and all these different leagues that are published, you know, one 10 million accounts uh stolen. Uh but then there's also the the info stealer information which is all consolidated into the uh database. The the thing that uh when when you look work with the uh uh

application that gets me is is is the automation. So it's not only him getting the the data and then uploading it to the system. He actually has for certain sources already the automation. So it automatically updates. It is basically zero um maintenance uh interface and it keeps loading everything that is being published under darknet to specific core forms. If it is standardized it loads it into the tool tool automatically. Now my uh friend he's uh uh basically offering this service to uh uh to companies monitoring domains where it's a subscriptionbased notification type of service. So be aware there's some new uh credentials on the darknet. Uh please have a have a double check and and look if uh if it's infected uh your

your users. Uh for me when I saw the tool I was really shocked and horrified what data I saw and and I will go into it uh a little bit later but maybe I do a quick uh uh show of of the tool and please you can try it uh try it yourself. So there's a let's say um um free or published version. It's something like uh have I been pawned? uh but to me uh especially when you see the administrative uh console it's it's how have I been pawned on steroids. Now any large company domain you like to try and we can see what uh what it shows and I'll maybe explain what's behind. So one of the things and I I

checked it yesterday is uh because I was checking lawyers uh I I noticed that Karanka is is pretty critical and I think this is a good example to sort of show where you have lot of users and um uh you have therefore relatively bigger frequency of of infections. Now the let's say the free module it has uh it has two parts. The the first part this yellow part this is this is your LinkedIn your Tinder breaches. This is let's say from my perspective when when when you look at it there's a lot of false false positives. I mean the data has been out for for many years and uh uh it's been changed uh many times. But

what is lot more uh I guess uh uh um significant is is actually the uh the red part which is the info stealer part. It has three parts. one is uh uh if uh an employee has been has been affected which is which is this part and because there's I expect it's not a real email I I can't really see anybody typing you know hansel motocranka it's pretty long you know the domain is pretty longer so we don't have anything here uh then we have the um users so this is when you have some email connecting up to the moist domain and here we actually see that in the last day we have about what

is it 54 um yeah we have 54 leaks so that means about two leaks of deposa happen every day and uh here you have an excerpt what what it looks like so you see some cookies you see that you have the username and then you have the you have the password so this is something you can you can check yourself it it's uh uh it helps you give you an indication of where you stand or where the company company stands in my view this is also uh uh quite useful for uh supply chain verification to really see how good uh their uh their their security is uh

is okay.

So uh Chesca Advocati Kumura database. Yeah. So I I thought it's always useful to have uh a database as as this uh about a year and a half ago. Um I came across it. I I I saw how they had their uh uh data set and and and I really love scraping scraping data off of off the web. Uh I especially love scraping data when when the number is incremental. So you have first user is 100, second user is 101 and it's a very easy loop uh where you have either if or or four for loop and and and basically a v get to get the page. Then after I get the the page, I I typically have to analyze it

and uh check if if I get all the data all the pages. Then then I do a little bit of pray parsing to to make sure I get the data and and it takes a little bit of time to basically extract the data from the pages. Uh but once you have it once you have it cleaned and I mean very very useful to have nice good clean data to to to work with. So once you have it, you can store it and and use it for later. And in this case, uh I did use it with um um the info steelers with the emails. Just a quick summary. So the Chescad Vocatnney Kumra, they have all the information, web, email, uh

telephone, uh where they're located. Uh we have about 22,000 uh and a half records. Out of that about 20,000 is lawyers and uh about 2 and a half thousand is assistants and then later on you can also break it down that you have about 15,000 who are active and and the rest is somehow inactive or already uh uh uh erased. So, so what what what I did, I took the database of lawyers. I took the uh uh alerts bar uh tool and and I basically compare to find out what sort of uh exposure do the lawyers lawyers have. So the the first one this is again this is the big leagues uh the the LinkedIn and and here we have out of

the 15,000 we have about a third who have a uh record by their email and uh uh about uh each record has about five uh five lines. So we have about uh 24,000 uh let's say leaked leaked credentials. Then we have a heap. This is a little bit um uh chaotic. It's it's it's data that doesn't really have structure. It's gotten from different sources, but at times it actually uh uh is more up to-ate than than the let's say the classical leaks. And of course, the worst is to have the info steeler infection. And out of the 15,000 I found basically uh 17 that match the the record which is about one out of a

thousand uh lawyers that have their their data leaked. So what uh what are the results uh what did we find when we analyzed it a little bit more in uh in detail? So the first thing I like to talk about is the cookies, session ids and and tokens and um h having seen the capabilities of uh uh cookie session and uh tokens um I' I've really been shocked because it bypasses uh uh multifactor factor authenticization. So normally you have the password and then sometimes you have to authenticate. But if you actually take the cookies uh and session ids then you can by skip the authentication and and basically log in to the last status of that user because they didn't log on

because maybe the cookie is uh activated for a month. So uh I will not go into too much too much detail but uh uh this section uh scared me the the most because it is lot more powerful and lot more dangerous uh to have this type of information uh uh on the systems uh uh on on on multiffactor authenticization. I like to say say one thing is it works. So do do use it. It does have does have an uh effect and it also uh provides a let's say a warning system to to the victim because if you have multifactor authenticization suddenly you get some sort of a message oh what is the code you know that should be a warning hey

maybe maybe they got my password to to this application to my banking or whatever but but they probably maybe got information elsewhere why else would I be getting code so I think uh multiffactor authentication definitely recommend it. It doesn't solve everything, but it does uh help with a big part of uh of the system. Uh one point thing to mention is uh if you look at the data here, we have uh one one leaked password from LinkedIn. I think it's 12 uh from um uh the actual info dealers, but we have almost 8,000 cookies. Yeah. uh and and you can definitely find uh uh uh cookies with which you can log into a a system. You

also have an expiry date when the cookie is expiring. So you can very easily see okay well this cookie is valid for another 3 months or this cookie is already uh deactivated. Uh my main thing is to developers think about how long to keep the cookie uh active. Yeah, expire the cookie as soon as possible. There's no need to have a cookie uh for for a week or a month to to some applications. It's better to log out the person the the next day. This way you actually help uh uh and and uh uh partially solve the the the cookie problem. So cookies session ID tokens uh uh I think in my case I think the worst situation. Let's

have a look at the uh the actual username and and password. So, so we had the uh 12 login in info steelers. Uh you see where where they're logging in. So you have your typically your Google's and uh uh your your Netflix uh wherever you also see of course how uh good their uh password hygiene is. So um I I don't know this uh this person really likes to use the word password maf maflon with variations. Um uh you can actually drill down. So so this is uh what was found uh as far as the login for for the lawyer but you can drill down into the actual device that has been infected and get uh more uh

information uh about the user. So if you drill down for the specific user, you suddenly see that they have 90 credentials that were uh taken uh you you see uh still the similar type of password. And here for example I uh uh just sorted. You can filter and and sort it uh uh how many data crankas they have. And and this user for example has uh five datawasa and and if I look at the password it more or less looks like most of the um datawasanka is controlled by one person because of the one uh one password. You also have the IP address uh where the P the device was when when the information was taken taken away. So

you get you get lot of um data. You can make a pretty good picture about uh the subject uh that uh uh their credentials have been uh stolen. Uh then if you look we have another example again datasanka in this case uh there was only 48 leaks found but 12 of them were actually data grana that's what 25% of those leaks uh here you see they have different different login so probably different uh different person uh uh but if if you're a lawyer I mean what what does a lawyer do from my perspective I mean the lawyer he has to make sure he gets proof of delivery. Uh he can efficiently deliver the the letters or take the letters over and and

Dr. Wasanka should provide basic security of your documents. Yeah. To me that was Kanka is a lot better than email uh which is uh more under control but not if you have your passwords leaked and not if you don't have two-actor authentication. Yeah. And to a lawyer, what what can happen if you have somebody accessed after Lasanka, right? You you can be impersonated, you can forge documents, uh uh data can be leaked that you don't want to leak and and in the end it's going to be a reputational problem at uh at minimum. Uh so what about the metadata? Yeah. So metadata if if you look at the data set uh uh this is what what really

shocked me because you can find out the telephones birthday ro just in from the login information maybe not shown here you can find out the pet's name by the password in in my view you can also find out you know the type of a person you know does that person have humor or or is he a straight up you know type of a person uh are they lazy are they changing the passwords here you see everything is basically uh reused yeah so not a very with uh password hygiene and and you also get inside information uh for some corporations. You actually see some of the network uh behind the firewalls what what they're trying to

log log into the the uh the LAN the

addresses. So what uh what would be the uh the summary of uh infos leaks? Well, you can basically get to uh any any account. It's just a matter of of searching. Uh if you look at the typical Google, Microsofts, uh they have good telemetry. I think that's that's the first point to to note is uh uh there's you with the with the stolen credentials sometimes you can you can log in but they basically catch you on the on the telemetry. Sesnam. From my view, if if you look at it, uh I think that telemetry is uh is very poor and and you of course can uh be uh uh hacked by having your LinkedIn account stolen

or or or maybe you have somebody uh get into your um uh registar and and mess around with uh with your domain. Yeah. All all uh bad uh bad threats, bad situations. Um, of course, there's the the financial part. So, so you get uh uh login informations to PayPal's banks uh even notice you know some uh passwords to identity so on and so forth. So to have this data to steal your identity, to get more insight of who you are, what you do, uh uh what your habits are is only a step away uh once you uh are uh infected with uh with info steelers. So in uh in summary uh what can we what can we take away? So we we

typically have the the general recommendations. Yeah, use multiffactor authenticization. Uh yes, uh do your uh update your software, use antivirus, uh avoid downloading from untrusted uh sources. Uh but I think uh these are not really the the right solutions. Yeah, for example, the antivirus. Yes, sometimes it catches it, but I think the point here is that there's a lot of info steelers out there that are not caught by the uh antivirus software. Yeah. uh the the real recommendations from from my side is uh first thing is don't store your passwords in in the browser. Yeah, I mean I know I understand it's not it's not convenient or maybe use more browsers. Yeah. And and use the browsers

for specific things. So in one browser you use only for your most critical login access. Don't store anything in there. And and for your shopping whatever you want to buy where where you only shop there once. Well, use use a browser and you can save those those passwords. Why why not? I mean, what is going to be there? But but always think about what type of data do I have in that account. What type of information can somebody find out uh find out about me? Yeah. So, don't don't install add-ons or or minimize what add-ons and and apps you you install. Log out of your account. Yeah. So after you're done, start doing the inkin and thing

and then log out so nobody so that the cookie session gets uh gets terminated. Yeah. Also think about what how much data to provide. Yeah. I think a lot of people unnecessarily provide too much data. Why not only provide the the minimum? Yeah. Good thing. Yeah. Monitor, check the darknet. Yeah. Check the sources like alerts bar or have I been pawned once a while to see if if there has been any exposure and uh yeah diversify your passwords in relationship to to the actual accounts that you use and and to the type of application you uh access and for the developers shorten the uh cookie expire time or or session. Now to to finish it off, what what I'm

looking for is uh really some some partnership collaboration. Um, I've sort of opened the door not not too long ago, saw what what's behind it. really horrified me. And um and uh I I like to take away that I would like to work with somebody with whom we can build an upy that will basically automatically verify if the target is a false positive or not. And if it is a if it is not a false positive to automatically send the message to uh to the victim that they have been compromised. therefore helping them uh with uh uh protecting their data before it gets uh it gets leaked. Yeah. Now the reason for this is uh one thing that I

have found and um that is very troubling is we have big uh big corporates so let's say chess or O2 or or bazet pair and if you look at their data set you see that they have lot of daily leaks uh but they have leaks on their computer uh chess vet they they don't care that these users have leaks but these companies could see that the they you customers who have been compromised and it would not be too much of effort to actually integrate their service this service into their sock where you have the automation where you have the verification on their own web page that yes uh these credentials are actually active and therefore then base put it

send out an email. So if you're uh uh if this was interesting to you, if uh uh this is an area that uh you're open to exploring with me, uh let me know. I'll be happy to to cooperate with you. And uh thank you for listening, for your attention, and hope you enjoyed it and and have a great day. Thank you.