• Randy Pargman, former FBI Computer Scientist and current VP of Threat Hunting & Counterintelligence at Binary Defense

Selling Backdoor Access to a MSP

In Episode 2 of Know Your Adversary™, we discuss an attempted compromise of a managed service provider (MSP) by a disgruntled former employee who tried to sell backdoor access on the dark web. Our guest is former Senior FBI Computer Scientist and current VP of Threat Hunting & Counterintelligence at Binary Defense, Randy Pargman. 

In 2019, Binary Defense engaged with an actor selling backdoor, unauthorized, and illegal access to an MSP in the eastern United States. The MSP provided out-source IT functions for many companies, and a compromise of their systems would have a major impact on hundreds of their clients. The actor, who identified himself only as “W0zniak,” attempted to sell the username and password for $600. In order to ensure confidentiality and proper legal engagement, Binary Defense coordinated with the FBI to properly conduct a “controlled purchase” of the credentials, inform the MSP, prevent any other threat actor from buying or accessing the MSP with the same credentials, help the FBI attribute and unmask the individual, and bring the actor to justice. 

Here are some of the key takeaways from the episode:

Threat Actors Sell Access to Victim Networks using a Variety of Methods. In most cases, actors typically fall into several groups. Those that sell access, buy access, gain access and persist (ransomware, espionage, etc.), steal valuable information, and facilitate the payment(s) can all be different individuals or groups. In this case, a former employee created credentials with the intent to sell to another criminal(s). Unfortunately, he sold them to the good guys, Binary Defense and the FBI.

The Case for More Aggressive Attribution and Unmasking of Adversaries. An enterprise often needs to have the ability to determine if an attack is a target of opportunity (drive-by scam or smash and grab) or well-orchestrated and directed with a specific purpose in mind (insider threat, espionage to gain information, targeted fraud, and ransomware). When it’s clear an enterprise is under a direct assault, unmasking identities for attribution is often warranted in order to disrupt the attack and identify the perpetrator. Selling unauthorized access that could impact hundreds of other commercial victims justifies unmasking at the identity level to prevent the initial and potential subsequent attacks.

Adversary Research
Discovering the methods, motives and identity of threat actors to disrupt attacks 
Reputation Defense
Technical guidance for countering disinformation and slanderous attacks 
Trust & Safety
Intelligence to secure business operations and defend against fraud, abuse and e-crime 
TPRM Exposure
Adversary-centric intelligence to address supplier, M&A and investment risks 
Outside Intel
Research for defending outside the firewall that leverages tier 3 intelligence programs 
Executive Shield
Assessment of threats to key personnel with attribution and PII takedown  
Adversary Insights℠ Retainer
Annual retainers for client-driven inquiries and rapid-response research 
Intelligence Team as a Service
Collaborative engagement providing robust intelligence and tier 3 cyber analysts  
Event-Driven Intel Investigations
Multidimensional security fact-finding that delivers insights into adversary behavior 
On Demand Threat Research
Proactive and preventative investigations that reveal threat actor context and risk correlations 
Investment Zero Touch Diligence℠
Project-based discovery to assess risk for investments, IPO, Mergers and Acquisitions 
TPRM Zero Touch Diligence℠
Subscription assessment of external network hygiene, key personnel, and non-traditional business risks