Somewhere in the former Soviet Union, possibly Crimea, a Russian-speaking hacker called Netrun* was putting the finishing touches on his latest success in his online life. On a regular basis he scans the Internet looking for vulnerable remote access ports with weak passwords and, as usual, he had scored. He was inside the network of a rehabilitation center. An employee who was authorized to work from home had his remote access port (RDP) open and was using a very weak password—namely, “Password.” Netrun easily cracked this password and accessed the records management system, downloading 43,000 pages of patient data. Then, in an attempt to maximize the potential profits, he installed a piece of ransomware on the compromised computer. The ransomware spread from the compromised computer to every networked drive to which the compromised computer had access. The next morning, employees logged on to find that their network drives were locked, and a demand for 3 bitcoin—then worth around $2,000—greeted them.
Image courtesy of Graeme Churchard’s Flickr photo stream, licensed under creative commons.
While a great amount of attention is paid to the giant compromises that both grab attention and elicit dismay—the ones that hit big box stores, hospitals, or government databases—Cyber4Sight analysts believe that the major threat to the personally identifiable information (PII) and protected health information (PHI) comes not from breaches of relatively well secured major corporations and government agencies, but from the steady drip of small-scale breaches of unsecured networks at small businesses by modestly skilled hackers like Netrun. Cyber4Sight analysts frequently spot cybercriminals claiming modest breaches along the lines of the rehab center breach described above, with threat actors occasionally posting evidence of their crimes at online file-hosting services in order to bolster their claims. Netrun seems typical of this type of actor—content to run simple scans for vulnerable systems, sell what he can obtain, and possibly employ simple ransomware.
Netrun posted hundreds of pages of patient data from the compromised rehabilitation center on a well-known file-sharing site. The data includes names, addresses, social security numbers, pictures, and even medical information. The data is almost perfect to use for identity theft—anything from establishing fraudulent bank accounts to generating fake passports, and everything in between. There was just one catch: Other members of the crime forum mockingly questioned the value of credit records of patients from the rehabilitation center. Indeed, Netrun was asking a relatively low $400 for the tranche of data. For contrast, he had another bit of data for sale at the same time; he’d compromised the computer of a personal injury lawyer and posted a scan of the principal’s drivers’ license and credit card as proof. He asked for $700 for that data.
Netrun has been compromising vulnerable computers and selling what he finds on them since at least April 2016.
By November 2016, Netrun started to post the IP addresses, host names, and login credentials of more than 100 hosts he had presumably compromised, raided for salable material, and infected with ransomware. Netrun may have posted the information as an attempt to bolster his bona fides; also, the hosts may not have been of any use to him anymore. Cyber4Sight analysts examined the lists of compromised hosts and attempted to identify victims and draw some conclusions about the nature of the activities of the modestly skilled hacker. Most of the hosts were located in the United States, with a few located in France and Italy. The sample of compromised hosts that could be tentatively identified includes small and medium businesses, medical and dental clinics, a few small business point-of-sale systems, tax preparers, and law firms. Two common threads stick out—all the compromised hosts had a remote desktop port open, usually port 3389, 3390, 3391, or 3392, and they all had extremely insecure passwords. Samples include the users’ first names used as the username and password at one medical clinic; a job position and “trucks” used at a host identified as “PUBLICWORKS” in a major American metropolitan suburb; or the password “police” used on a computer belonging to a police department of another, smaller suburb.
Netrun is just one of dozens of cybercriminals Cyber4Sight analysts encounter every month who claim to have access to hosts compromised through insecure RDP installations, or who claim to be selling stolen PII/PHI. Netrun is slightly unusual because of his willingness to provide samples of his inventory; many actors merely state that they have access and may or may not provide samples in private communications. It is important to remember that Netrun is just one modestly skilled threat actor, and he has probably compromised the PII or PHI of tens of thousands of Americans in the last 6 months alone. Multiply that by the dozens, even hundreds of similarly skilled hackers working every day, and the drip, drip, drip of leaked information becomes a torrent.
*We’ve modified the criminal’s moniker. A longer, unmodifed version of this report initially appeared in Cyber4Sight’s December 2016 Monthly Intelligence Report.
Article Link: https://blog.cyber4sight.com/2017/02/a-day-in-the-life-of-a-modestly-skilled-cybercriminal/