FortiGuard Labs Threat Research Analysis
The famous painting “Swans Reflecting Elephants” creates a double image and is an ideal metaphor of what we know about the internet and the hidden layer beneath known as the Darknet. I also see it as a metaphor for cyber adversaries and researchers and how we are tangled together by destiny almost in the world of cyber crime.
Researchers often overlook the importance of additional sources of cyber threat intelligence and ways to enhance maximize their search. In its most basic terms, cyber threat intelligence allows organizations to prepare for—and mitigate —cyberattacks. But that is becoming more and more challenging as the cyber criminal ecosystem grows, and the volume and sophistication of attacks continue to expand. Gartner provided this definition nearly a decade ago, and it still applies today: “Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications, and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject's response to that menace or hazard.”
At FortiGuard Labs, we use threat intelligence to better understand the techniques, malicious software, and potential targets that threat actors are considering attacking. Our threat intelligence is curated from many different sources, including (but certainly not limited to) millions of global network sensors, as well as multiple honeypots, cybersecurity reports, and intelligence shared between security professionals, security vendors, government organizations, and private partnerships.
With over 100 billion indicators of compromise, or IOCs, observed every day, threat hunters at FortiGuard Labs also employ a variety of automation tools to scan, process, mine, and correlate this data. This includes multiple internal machine learning techniques and our patented AI threat collection and correlation system, using big data analytics and elastic search clusters, writing Yara rules, and sometimes just relying on a close relationship with our customers and other security professionals who participate in the community submissions of threats.
Frequent data sources for threat intelligence include attacker and torrent/onion forums, usually on the Darknet, where malware, ransomware, and denial of service is often discussed, purchased, and sold. Many of these forums require researchers to jump through a significant number of hoops to access. Some forums require payment, other forums require people to vouch for you as a real hacker, and sometimes you have to prove your worthiness by demonstrating your ability to code around a security problem or create malicious software. Complicating this process further, the general rules of engagement from a white hat security researcher perspective states that, as one of the good guys, you never pay for information, never create code, and never even remotely participate in anything illegal or unethical.
Many people would think that would limit the usefulness of the information we would be able to access. It does not. That’s because most attackers on these forums are not just motivated by financial based incentives. They want to post and advertise their knowledge in forums that will have the most views, and many want to show off their skills. Contrary to popular belief (and Hollywood movies), you will probably not find spies from two rival nations surreptitiously communicating across some secure backchannel on these networks. What we do see, however, are frequent attacks targeting mass individuals and organizations rather than the narrow, specific, targeted attacks.
I am often asked about where and how we find out about these hacker forums. There are a few popular forums that get lot of attention, but these forums often have lots of noise, including ads and very outdated information. Others are much more focused. Regardless, these forums are not necessarily any more malicious than a Facebook group or even a cybersecurity class. And most importantly, in our case, the techniques shared in these forums help defenders understand attacker culture and how to defend against frequent attacks.
Keep in mind I am only going to share well-known and well-discussed sites, including those sites most commonly used by threat hunters, threat researchers, and cybersecurity defenders. Let's start with the typical sources.
Twitter: Everyday, new threat-based websites and forums, locations to find attack code, or other threat intelligence services are discussed or posted on Twitter. Furthermore, threat actors and hackers sometimes communicate directly on the platform. However, it takes time to learn which individuals to follow.
Pastebin: This is an online content hosting service where users can anonymously post or store plain text, such as source code snippets for code review, for a limited amount of time. Pastebin has become a little more challenging to use recently because of how they make public pastes available. In general, attackers post leaked data breach information on this site.
IntelX: This is a tool used by advanced threat hunters. It is similar to Pastebin, but it also allows individuals to search for emails, domains, and cryptocurrency wallet addresses. It also provides a useful API interface so researchers can automate their searches.
GitHub: There are a ton of security software tools on GitHub that are created for defenders and researchers, including those that are sometimes modified by attackers. You can find samples of ransomware toolkits, remote access trojans (RATs), social engineering kits, email spoofers, and many other tools that defenders use to test their security—and that attackers may use or modify for more nefarious purposes. Defenders such as FortiGuard Labs automatically look for these tools; and run tests to ensure that we can detect and stop attacks generated by these tools. Defenders should write flexible policies that only allow their systems to perform approved security audits by these tools and under no other circumstance.
Search Engines: Darknet search engines, like the one pictured above, usually feaure a combination of people talking about various hobbies, links to other sites, news articles, and stories. While there is certainly some useful information to threat researchers on this site, it takes time to develop a technique for searching for helpful information, separating and categorizing that information for review, and storing and searching for that information when needed.
In other words, I could give you all the forums, marketplaces, and TOR sites I visit; however, unless you already have techniques (or can develop them), these websites won’t be useful because of the amount of information that has to be searched through and separated to make that information actionable.
While we no longer manually search these sites, we do set up crawlers, APIs, or other access methods permitted by the websites that host the data to search for specific keywords and phrases. And because of the shifting threat landscape, we have to refine our searches continuously. Many of these techniques are custom developed, and therefore not commonly available to the average user. And even then, we still have to contend with things such as CAPTCHA logins, two-factor authentication, and automated lockouts. And to complicate things further, some of these sites are explicitly looking for IPs connecting from known cybersecurity organizations or researchers, and will actively block them and lock them out.
Another question I am often asked is, “What are some of the things we find on attacker/hacker forums, such as the Darknet’s infamous onion sites?
Let’s start with the Darknet marketplaces. This is an underground version of e-commerce sites, where you can browse and purchase goods and services. The majority of the listings are generally related to narcotics. However, when we browse the software or malware sections of these sites, we often come across new data. Using the screenshots below, you can see such items as remote access trojans, botnets for sale (such as the Zeus botnet), and crypto currency malware.
The prices for most of the software are pretty low, though newer, more complicated, or more refined software is much more expensive. However, the majority of the malware found on these marketplaces is mostly cheap because the malware is old, sold in bulk, and usually should be detected (at least in its default configuration) by most cybersecurity software. However, this does not stop attackers from trying to use these services on a mass scale or attempting to modify the software in a manner to make it undetectable by cybersecurity software.
We also find items for sale that are not malicious software, but more in the category of tricks or guides. Examples of this include how to change your MAC address (which most systems administrators can figure out how to do with a Google search) or repackage open-source pen-testing tools such as DROID Jack, which is a remote access trojan for older Android devices (typically available for a free download from many sites). And once in a while, you will find someone who has taken the time to update old malware and add new features.
From the screenshot above, we can see there is a new version of DroidJack available for sale. As researchers, we need to make sure that we can protect our customers against this new variant. Fortunately, we don’t need to get the software from this forum. We have lots of resources and honeypots where we can collect and run the actual software. However, when we see this software showing up on multiple sites, we can guess that it is most likely getting popular.
We can also start looking at software reviews, and start tracking the seller using their User ID, their contact info, and perhaps even their cryptocurrency wallet address to get an idea of what other activity the threat actor is engaged in. Keep in mind that this can be pretty difficult because many threat actors will change their IDs, generate new cryptocurrency addresses, or use focused privacy currency such as Monero.
In either case, our first goal is to examine the malicious software and make sure we can detect and stop attacks generated from the software.
We also frequently come across text dumps that contain usernames, names, passwords, and other information. This is often what happens to data when cyberthieves, or even people in your organization, have intentionally or inadvertently leaked passwords or other PII, (which is also why this can put your entire organization at risk.) Fortinet’s FortiWeb service, for example, has an account stuffing feature that identifies login attempts using credentials that have been compromised using an always up-to-date feed of stolen credentials resulting from numerous leaks posted on the Internet.
Below is a recent post on a forum claiming to have millions of accounts from a recent data breach. In this specific case, almost anyone with a forum username and password can download the database.
The point I want to make about attack forums is that it allows researchers such as myself to understand what is interesting to attackers. Getting inside the mind of an attack not only enables threat researchers to anticipate threats and steps within an attack, but also begin to profile certain cyber criminals. Threat behaviors are a lot like fingerprints and can be very useful in uncovering and defending against certain threats.
For example, over the past few months we have seen a lot of discussions around security on various web meeting platforms.
The majority of these talks have no malicious intent and are probably people just wanting to understand or discuss a specific topic. In some rare cases, however, we discover when an application is getting enough chatter that attackers are starting to research vulnerabilities or test code.
I had an automated search look for a branded web conference and malware for sale. My search only yielded normal discussions. This means I will have to refine my own searches further or continue monitoring to see if any new activity occurs around my keywords. But as a researcher, sometimes, even generic conversations are still valuable because I can now gauge the interest attackers have on targeting specific applications, or how their own interests may change based on global events.
In addition, generic conversations can often spin off topics of interest. In this specific case, one of the forum threads I was monitoring went off on a tangent wherein a forum member started discussing ATM Jackpotting, a technique used to hack ATMs (automated teller machines) with malware in an attempt to have it dispense cash. This individual had links to a different forum that I had not had on my radar that was selling items related to ATM attacks.
You never know where the rabbit hole will lead you.
Almost every threat we discover is initially examined by us either manually or by using one of our automation tools. Defenses and threat signatures are then written to protect customers against these threats. It goes without saying that we take these protection signatures and update all of our Fortinet Security Fabric solutions. Because of the nature of the majority of the threats we discover, most of these defenses are concentrated in our AV engines, which means that any of our products with enabled AV engines will protect against these. We also develop IPS signatures for those threats that need that level of detection.
In those cases where we identify malware connecting to specific sites for command and control, we also add the URLs and IPs (if it makes sense) to the malicious software categories on our web, DNS, and IP reputation filters.
And in the case of hardware attacks such as ATM skimmers, we examine the software they use and raise awareness to our customers when we come across a new tool or technique. We also share this information with our trusted cybersecurity partner organizations and people who might be interested in it.
At FortiGuard Labs, we use a variety of different sources to stay on top of attacks. In this article, I have shown you a glimpse of some of the sources we use when it comes to monitoring attack forums and the Darknet, as well as how we are protecting our customers. However, due to the risks inherent in browsing the Darknet, including malware infection and PII theft, I recommend that you leave this activity to cybersecurity professionals with the training needed to avoid risks, and the tools needed to recover a device that becomes inadvertently compromised.