CyberWire Daily - Big data, big payoff for China's cybercrime underground. [Research Saturday]
Episode Date: May 29, 2021Guest Brandon Hoffman of Intel 471 joins Dave Bittner to share his team's research "How China’s cybercrime underground is making money off big data". Through Intel 471’s observation and analysis o...f open source information and behavior on multiple closed forums, they found actors adopting the use of legitimate big data technology for cybercrime and monetizing the data they obtain on the Chinese-language underground. The behavior Intel 471 analyzed points to a cycle that involves several different layers of cybercriminals, the use of insider information, and unwitting victims in order to earn ill-gotten gains. The schemes themselves proliferate partly due to China’s desire to be a global epicenter in big data analytics, especially as it pushes to become synonymous with new technology sectors like the Internet of Things (IoT). With China injecting big data into every economic sector, the environment has become ripe for criminals to create and execute schemes that hide in the noise brought on by the amount of data at hand. The research can be found here: How China’s cybercrime underground is making money off big data Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts
tracking down threats and vulnerabilities,
solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
What prompted the creation of this report is that the popularity of specific tools or services in the cybercriminal underground,
when they gain a certain amount of popularity, we think it becomes important to share.
And this one is particularly interesting because it was used by so many different types of tactics and techniques.
We thought it was interesting.
That's Brandon Hoffman.
He's Chief Information Security Officer at Intel 471.
The research we're discussing today is titled
Edder's Silent, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks and a $75 million record payout in 2024.
These traditional security tools expand your attack surface with public-facing IPs that are exploited by bad actors more easily than ever with AI tools.
It's time to rethink your security.
security. Zscaler Zero Trust plus AI stops attackers by hiding your attack surface,
making apps and IPs invisible, eliminating lateral movement, connecting users only to specific apps, not the entire network, continuously verifying every request based on identity and context,
simplifying security management with AI-powered automation, and detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security. Well, I mean, let's start off with some descriptive stuff here.
When we're talking about a Maldoc builder, what exactly is that?
So what that is, is essentially a service or a tool from another cybercriminal that will create a malicious Word document or document
typically for the Office suite, the Microsoft Office suite.
So when you think about an attack where they say, hey, somebody emails you an attachment
for an Office document or an Excel, and you open it up and that then downloads some other
malware, that's a malicious doc.
And so a lot of the cyber criminals don't have the capability to build them themselves.
So they hire or buy this piece of software that will build this malicious document for them.
Gotcha.
Well, let's go through Etersilent itself.
What are the capabilities that it has?
Yeah, so Etersilent is interesting in a couple different ways.
The first thing that makes it interesting is that it uses two different ways.
The malicious document has two different options, right?
One is it exploits a vulnerability, a CVE, in Microsoft Office.
Now, it's quite an older one, but still one that does exist if it hasn't been patched out there.
And the other one uses the other more common method, which is a malicious macro. So that is interesting. It's
also interesting because it disguises itself as if it's coming from DocuSign. And I'm sure most
people are familiar with DocuSign, but it's supposed to, you know, it provides a level of
trust. It's one of the ways that it can kind of set the victim at ease that this is something legitimate.
And you have some examples here in the research. Can you describe to us what does the DocuSign
document look like and how does it trick people into doing things that they'd be better off not
doing? Yeah, so it comes through. It looks like DocuSign. It has the DocuSign
logo on it. It says it's encrypted by the DocuSign Protect service. And then, of course,
at the bottom, it says why I cannot open this document. That's generally used if you think
about the macro version. A lot of times, IT security departments will disable macros globally. And if they do, that's great.
But if they provide the users the opportunity to re-enable macros to do something,
this kind of walks them through how to enable the content, which would be, in this case,
malicious content. So a very smart, very slick way to trick the users into opening macros and letting this malicious
code run on their system. And so once they click through, they enable the macros, what happens next?
Yeah, so what happens next is, you know, essentially a payload would get downloaded.
So that would be, you know, the next stage of attack, you know, depending on how it's used together with another piece of malware.
So it could be that Etersilent is used to download a payload for TrickBot or potentially
there's other banking trojans and others that are available that were part of the campaign, things like Qbot, Gozi, or otherwise
known as Ersniff, even Bazaar Loader. And Bazaar Loader is quite interesting because Bazaar Loader
has been seen in the wild to be paired up with some of the more popular ransomware attacks.
So if you think about the attack chain, and I'm not sure if you wanted me to explain this all
right now, but somebody would drop this malicious document, user would open it, the code would run, it would download something
like Bazaar Loader. Bazaar Loader then allows another threat actor to then potentially load
a third element, which could be potentially something like ransomware, directly into the
system. Right, right. One of the things that you go into in the research here
is bulletproof hosting. Can you describe to us what you're seeing there?
Yeah, so bulletproof hosting is something that I feel like a lot of people know about. I'm not
sure it always gets the attention that it's due. But bulletproof hosting, just at a high-level
glimpse, is essentially like the AWS of the cybercrime underground. So imagine you're an attacker.
You need some infrastructure to host all this malicious code
to send the attacks from machines.
And essentially, that's what bulletproof hosting is.
You spin up machines in this other cybercriminals infrastructure,
and that's where you launch your attacks.
That's where you place command and control servers.
That might be where your spam campaign comes out of from a mail exchange perspective. And what's interesting about that is because
we've observed it paired up with some of these more popular malware campaigns, a lot of those
malware campaigns also use bulletproof hosting. So what that means is that it provides the defenders
an opportunity to block this from even getting to their users.
So when you think about how do I defend against something like this, sure, having macros disabled,
sure, having Microsoft Office patched and having some type of spam filter, mail protection in place
is good. But also another level even earlier is simply blocking traffic from Bulletproof-hosted
infrastructure. That would also provide another layer where if for some reason you didn't do that,
it still got through to the user. If the callback to download the next stage, the next
malware family, that might be hosted by bulletproof infrastructure as well. So that would
allow that callback to not happen. That would block that callback. So essentially, it provides
another opportunity for the defenders to disrupt this attack chain. And I suppose, I mean, there's
little reason not to block these bulletproof hosting providers, right? I mean, very little, I would hazard to say
virtually no legitimate traffic comes out of them. Is that fair? It's fair, you know, and truthfully,
that's probably a little bit of a longer chat. It does get a little bit tricky sometimes because
the bulletproof hosters themselves, of course, smart people, and sometimes they will get,
you know, infrastructure from a legitimate provider. Let's they will get infrastructure from a legitimate provider.
Let's say they get something from Google Cloud or something from Amazon. Now, typically those
things get shut down very quickly because those infrastructure providers are looking for that
type of abuse of their services. But in certain cases, if there is an overlap there, you might be
doing a canopy block of all bulletproof
hosted infrastructure. There may come a time where you may accidentally block an IP net block that is
legitimate. Will that disrupt a business service? There always exists the possibility that that
would happen, but I would say in this case, the juice is worth the squeeze.
I would say in this case, you know, the juice is worth the squeeze.
Mm-hmm. Mm-hmm.
What does this say in terms of the overall commoditization of cybercrime? You basically have these building blocks that people can use to do what they're setting out to do here.
Yeah, I mean, it's a full marketplace.
It's a full economy unto itself.
It's a full marketplace. It's a full economy unto itself. It draws parallels directly to our own kind of obviously non-criminal standard economy where there's products and tools and services,
there's service providers, there's suppliers. They specialize in something specific.
So if you're trying to create an attack against somebody, and maybe your specialty is in cashing it out, monetizing an attack,
but you don't have the skills to write the malware or to gain the initial access. You can buy all
these things from other providers. So there's literally a full economy with service providers
and product providers at every stage of an attack, anything that you could think of.
And I could describe that in more detail if you want me to.
Yeah, let's dig into it some.
What are some of the things of note there?
Yeah, so certainly, for example, ransomware.
There's ransomware as a service where you essentially, you almost don't have to do much.
You just have to provide a victim and somebody, you know, another ransomware,
they call them ransomware gangs, although that's not exactly an appropriate term.
They'll go and do the ransomware. They'll do the negotiation. They'll collect the money and they'll
charge a fee for that. And how would you get that victim for them? Well, you could go to an
access broker and an access broker is somebody who did the initial infection with something like
maybe a Maldoc, right? They have access to a machine, but they don't have any interest in doing a lateral
movement or doing a ransomware attack. They simply get that initial access, then they sell that off.
Same thing can be said about credentials and identity. There's people who are great at running
the malware that grabs credentials from people's browsers and other
places, and they don't have any interest in using those credentials further in an attack. Rather,
their way they're going to make their money is simply by selling the credentials to somebody
who's going to then perpetrate an attack using a credential-based attack.
Going back to Edersilent itself, what are your recommendations for folks to best protect themselves against this?
Yeah, I mean, there's a couple different opportunities to best protect yourselves against it.
First, of course, is if you can, globally disable macros at a policy level and have no exception to that.
I know that's not really practical advice because there's a lot of departments that have to use macros. Certainly keeping things patched, the CVE that gets exploited in the more
expensive version is a 2017 vulnerability. So certainly that's something that should be handled.
So those two things will protect you specifically against at or silent. But then again, there's
that opportunity to look at bulletproof hosting
and disrupt that, block that infrastructure
from having any communication
with your systems or networks.
There's a lot of indicators,
IOCs and other artifact information
that we've developed,
and I'm sure others have developed as well around this,
where you could use that on an endpoint technology
to block it from running,
should it even get to the
user. Updating, you know, spam filtering and mail protection systems are a great thing. And then
looking at the attack chain on a broader scale, there's a wealth of information around, you know,
things like BokBot and TrickBot and all these other bankers and loaders, and just making sure
that your protections are up to date against those. So there's several opportunities to really disrupt this particular maldoc.
Yeah. How about educating your users themselves? I mean, obviously we have the thing with the
macros here, but just being on the lookout for these sorts of things in general, do you think
that's a useful effort itself? I don't know that there's a useful effort around creating awareness for this
specific, you know, at or silent itself, because it's truthfully in itself, it's nothing novel,
meaning it's not a unique tactic that's being used.
It just kind of gained popularity for a variety of reasons.
I would say that security awareness is always an important thing to do for any
organization. Always make sure that you know what you're clicking on is from a legitimate source,
take the time to review it. Of course, with the remote work, you know, kind of diaspora,
that makes things more difficult. People are working later or they have their kids talking
to them and they're distracted. And so security awareness is more important now than it ever has been
because extra precaution is needed. Why do you suppose that Edersilent has
risen in popularity here? What's so attractive about it?
Yeah. So what's so attractive about it is that it is cost effective. That's the first thing,
depending on which method you choose. and the other reason is that the author
of edder silent has gone through great pains to make sure that the obfuscation tactics and
technique used in the maldoc itself is very robust so we do see that from time to time
but for example the the version that uses the exploit, the vulnerability, that's quite expensive.
It ranges about $130 plus for a single build, meaning a single campaign run for that build.
But on the other hand, conversely, the macro is only $9 at start.
It might, you know, the prices fluctuate just like any other market as time goes on.
You know, the prices fluctuate just like any other market as time goes on.
But $9 for a unique malicious macro build is a very, very attractive price for many people.
Because if you got to imagine if they're running a campaign and every campaign they're going to, you know, they let's say they have 100,000 targets and they break that into 10,000 groups of 10,000, you know, then they're going to run 10 campaigns. They could run those 10 campaigns for $90 with a unique malicious document in each one of those campaigns. That's a quite attractive price.
And the obfuscation technique provides a good chance that it won't be detected, at least
currently, by a lot of the endpoint solutions. So one of those defense mechanisms kind of falls away,
which provides a greater opportunity for success
from the attacker side. Yeah, that's fascinating. I mean, I suppose it really speaks to the
professionalism here that the folks behind developing this have put together, for lack
of a better term, a quality product. Yeah, it's funny that you say that because that's the term
that we use a lot of
times. They say, well, somebody built some quality software here. And unfortunately,
that's the way you kind of have to look at it is, you know, a lot of the guys who write this
software are really, really good at what they're doing. And they're just doing it on the other side.
Our thanks to Brandon Hoffman from Intel 471 for joining us. The research is titled,
Edder Silent, the Underground's New Favorite Maldock Builder.
We'll have a link in the show notes.
And now, a message from black cloak did you know the easiest way for cyber criminals to bypass
your company's defenses is by targeting your executives and their families at home black
cloak's award-winning digital executive protection platform secures their personal devices home
networks and connected lives Because when executives are compromised
at home, your company is at risk. In fact, over one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
The Cyber Wire Research Saturday is proudly produced in Maryland out of the startup studios
of DataTribe, where they're co-building the next generation of cybersecurity teams and
technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash, Kelsey Bond, Tim Nodar, Joe
Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening.