當網絡犯罪分子犯錯時 - OPSEC Oopsies 和 Epic Falls.pdf

1、When Cybercriminals Goof:OPSEC Oopsies and Epic Falls Will Thomas FOR589 Co-author and Instructor,SANS Institute CTI Researcher&Threat Hunter,Equinix Co-founder,Curated Intelligence$whoami Spent 8 Years in Cybersecurity Passionate about Cybercrime Security Research blog:https:/ Often read about the

2、darknet,malware,ransomware,and other cybercriminals Always curious to learn about how we can stop them Loves to help Law EnforcementOperational Security(OPSEC)Someone with great OPSEC usually Who likes to do it like its their hobby Who must do it for their safety Many people like to balance keeping

3、their data and systems secure while also maintaining a convenient life.OPSEC for allUsing a password managerUsing multi-factor security(MFA)apps or tokensKeeping systems updated with the latest patchesUsing antivirus software and built-in OS securityAvoid oversharing on social media set your account

4、s to privateBeing aware of scams,watch out for phishing links or attachments and malicious websites https:/ the Extra MileBad OPSEC leads to ArrestsPizza BoxesUK OSINTPiccadilly lineLondonOvergroundElizabeth lineThe DLRThe London Undergrounds Seat CoversLook for them in your targets picturesEach pub

5、s carpets are uniqueLook for the unique patterns of the carpets in their picturesWhat you may expect:Cybercriminal OPSEC Online Fake Personas and Stolen Identities Using privacy-focused Linux distributions(like TAILS,Whonix)Using an encrypted messaging app(like TOX)Burner Phones/Burner Laptops No-Lo

6、g VPNs CryptocurrencyDeanonymization BountiesUnleash The Door KickersHOW YOU CAN DO ITSilk Road Admin ArrestedForum Post His account was the first to post a link advertising Silk RoadLeaked Email Address The same forum account posted his email address: How“Dread Pirate Roberts”was uncovered:AlphaBay

7、 Admin ArrestedLeaked Email Address His personal email address pimp_alex_ was in the welcome message of AlphaBayData Contamination His personal email was used for many forums and social media How Alexander“Alpha02”Cazes was uncovered:Alpha02s forum signature:“,”(“Be safe,brothers”in Russian)Raccoon

8、Stealer Arrested How Mark“Photix”Sokolovsky was uncovered:Leaked Email Address He used a Gmail address in a forum post that was connected to his iCloudiCloud Account Access Law Enforcement requested access to his iCloud and could track his locationBonus His girlfriend was sharing their trip to the N

9、etherlands on InstagramNetWalker Affiliate Arrested How Sebastien Vachon was uncovered:Lack of VPN An IP addresses that logged into a server used for a NetWalker attack also accessed a Gmail accountData Contamination Gmail account ordered a free Google Home Mini to Vachons real home addressSebastien

10、 Vachon was also a former Canadian government employee turned ransomware cybercriminal719 Bitcoin(worth$28m USD)and$790,000 in Canadian dollars,and 20 Terabytes of stolen victim data was seized from himLockBit Affiliate Arrested How Ruslan“OFFTITAN”Astamirov was uncovered:DataLeak LockBits RaaS affi

11、liate panel was disclosed and the“OFFTITAN”username was made publicUsernameReuse An Exploit.in member shared the Jabber handle that included“OFFTITAN”in the nameData Contamination Other forum profiles with the username“OFFTITAN”used a mail.ru address that was in multiple data leaks with his nameLock

12、Bit Affiliateofftitanthesecure.bizA user called“OFFTITAN0”on another ForumEmail:95_pesok1_95mail.ruThis email is also in the CDEK data breach with the name“”(Ruslan Astamirov)Credit and Thanks goes to certain members of Curated Intel for this research!INFOSTEALER LOGSWhat are Infostealer Logs?Infost

13、ealer malware steals sensitive user information such as login credentials and often spreads via malspam,malvertising,and cracked software sitesInfostealer logs often ends up on dark web sources where cybercriminals can browse and purchase it and can do so in bulkThey target web browser autofill data

14、,which includes usernames,IP addresses,and system information as well as addresses,phone numbers,and more!Child Predators IdentifiedThe infostealer logs revealed their name and home addressA convicted child predator was infected by infostealersQueried for known CSAM sites in infostealer logsAround 3

15、,300 users were found and shared with law enforcementRecorded Future analyzed infostealer logs to identify CSAM consumersCommon OPSEC MistakesMistakesArrestsLeaving their social media profiles wide openAlpha02,RaccoonCross contamination between personal accounts&attacker infrastructureNetWalkerAppea

16、ring in data breaches and reusing handlesLockBit AffiliateTheir partners,families,and friends share pictures of themRaccoonForget to turn their VPNs onNetWalkerUsing Windows,Gmail,iCloudNetWalker,RaccoonInfecting themselves with malware!Child PredatorsUsing services with Know-Your-Customer(KYC)requirementsMany others!Find Me On:https:/ X:BushidoToken LinkedIn:/in/william-t Bluesky: GitHub:BushidoUK SANS:Will ThomasThanks