Abstract — In this post, we will learn thought process of a cybercriminal when they attack a company or an enterprise.
Goal
The goal of this post is help analyst and researchers gain high-level understanding on following:
- Cyber Criminals perspective
- Mapping critical endpoints with services
- Plan for data exfiltration and bypassing security measures
Before we start, would like to highlight — Information is first hand research primarily derived from learning and observing discussions and patterns conducted by cyber criminals on multiple communication channels present on Clearnet and TOR-based Forums, Instant Messaging services and more.
Detailed Analysis
To learn about cybercriminals perspective, we will be analyzing compromised information stealer logs offered on multiple cybercrime discussion forums and marketplaces.
The bring clear and concise understanding analysis will be divided in following sections:
1. Information on Malware Infection
During the course of analysis following observations were made:
- History and cookies of visiting multiple adult entertainment websites
- Visited websites that offer cracks and keygen to premium products.
Therefore, we can have educated guess the initial access and information stealer malware was delivered through one of the aforementioned medium.
2. Analysis and Inventory of Compromised Assets including security and monitoring tools
While scouring and mapping technology stack threat actors will look for following Endpoints/Services to achieve complete control or plan data exfiltration for extortion:
- Database Servers and Cloud Storage services
- Billing and Invoice related documents
- Network attached Storages
- Remote Monitoring and Management tools
- Endpoint Management Solutions
- Mobile Device Management Solutions
- Virtualizations — Vmware, vCenter
- Antivirus or Internet Security suites
- Employee monitoring or Insider detection tools
- Cloud Backup solutions
- Email and Endpoint security
- Inventory management solutions
- Sales management and CRM solutions
- Enterprise network controllers
and more.
3. Security Tools — Inventory and Public Bypass
Once initial mapping and charting of the aforementioned endpoints is complete the cyber criminals would hunt for bypass associated to specific version.
Searching on Github with following link — https://github.com/topics/edr-bypass will help you gain brief understanding of implementations and publicly available bypass tools and scripts.
4. Data Exfiltration — Profiling and Strategy
Again, following the link — https://github.com/topics/data-exfiltration will help you gain complete insight on data exfiltration strategy from the enterprise network once lateral movement and access on critical endpoints is achieved.
Note: In future, we shall have multiple detailed articles on following:
- How majority of the initial access offered in cybercriminal markets are sourced through malicious cracks and keygen.
- Common data exfiltration techniques
- Public — Red teaming tools for lateral movement
PS — These article act as personal journal to document research and repository to access information whenever required. Happy to hear suggestions and feedback.
Until then, stay tuned.
