- [Host] Supply chain management following the SolarWinds compromise has all the news headlines lately. Software like SolarWinds needs to touch every endpoint and server throughout an enterprise which needs administrator access to function. So imagine if an attacker gained the same access. Another entry point that companies would not likely see coming would originate from third-party managed information service providers, often referred to as MSPs. MSPs have the same high privilege access into enterprise networks, and are commonly used when it's cheaper to outsource IT. This is the story of a near disaster of an attempted compromise of an MSP by a former employee selling unauthorized access on the dark web. This is the second episode of Know Your Adversary. - [Randy] I thought I was leaving the FBI for something a little bit tamer, taking care of security and being proactive about defending computers. But this seems a whole lot like what I just came from. - [Host] This is Randy Pargman. Randy was a former senior computer scientist for the FBI that went into private industry for a managed detection response company called Binary Defense. One of his teammates brought something to his attention in 2019. - [Randy] I thought it was very interesting, and potentially dangerous as well. What it was was somebody on an anonymous forum posting that they had backdoor access to a network of a managed services provider, an MSP. The only identifying information that they gave about the MSP was that it was in the eastern part of the United States, and that the MSP took care of a lot of clients that were big businesses, and that this access that they had would allow somebody complete administrator access to not only the MSP itself, but all of its clients. - [Host] In other words, it would give somebody the position to install whatever software they wanted to on all these client companies. And this person wanted to sell it to somebody on the criminal forum for the purposes of launching ransomware, extortion, or something even more insidious. Think about the scale if you were a ransomware actor. Do you attack one enterprise or target a company that could have access to hundreds, if not thousands of clients? It's important to understand the acronyms and capabilities between a managed service provider, or MSP, and a managed detection response provider, or MDR. A managed service provider provides outsource IT services to companies. So think network, WIFI, phones, print with little to no security other than some basic antivirus. Managed detection and response providers, or MDRs, provide continuous monitoring with triage and response of incidents that go beyond the antivirus to include more aggressive endpoint monitoring and sometimes MDR companies often augment MSPs. So in other words, Randy's company was focused on the heavy aspects of security, and this particular attacker was selling access to an unknown managed service provider in the eastern United States. The first steps were to determine the name of the MSP, and if the threat was valid by determining if their credentials and access were legitimate as this could have impacted hundreds if not thousands of customers. - [Randy] I had the background to understand that there was the possibility this was a scam. This was a trick that the person didn't really have access, but the most likely scenario is that they did. Unfortunately, a lot of companies get hacked. This is all too common. It's the type of scenario I'd seen before. But whether it was a client or not, the top priority for us, as it would be for any person in the security community, anybody who cares about doing the right thing, is to find out which MSP this was, what company this victim was, and to warn them. One of the things that I knew from having seen this play out before is that if somebody is selling access to a company that they've hacked, they're probably going to continue doing that. This is probably a regular business for them that they're going to not just stop at this one victim, but they're going to go on and on and on until somebody stops them. - [Host] Attribution is hotly debated within security enterprise. Most of the time enterprise doesn't have the time or resources to track down every single threat hitting the firewalls, social media or emails. A threshold has to be reached, and for unfettered access to an MSP that could impact hundreds of clients, that certainly could meet the threshold for finding out not only the methods and signatures of the attack, but also the identity of the attacker. What if this insider was working at the MSP? What if an insider sold their credentials to someone else? What if an MSP's user credentials were compromised or reused from an external actor? Time to validate the threat through open-source intelligence gathering and threat actor engagement. It's important to engage with threat actors and derive clues that they inadvertently reveal about themselves. Style, metric attributes, language capability, technical skill. Geography details are often useful intelligence starting points. - [Randy] At this point, the only thing we knew about them was the online name they had chosen on this particular forum, which was Wozniak, just like the famous Woz, co-founder of Apple, a really nice guy who would never sell any backdoor access or do criminal activity, I'm sure. So, number one, we wanted to just find out who was the victim, and to accomplish that, I talked to the employee who had found it and we came up with a plan. We researched a little bit more to find out what else has this person posted? You know, get a little bit of background information on them. Can we find out anything about them? And then we looked at the offer itself. So one of the things that stuck out to me as unusual was that this person was offering this backdoor access for sale starting at the price of 600 US dollars. So that told me something right off the bat. Number one, that this person didn't seem to be experienced or familiar enough, or maybe didn't have enough reputation going in the forum to ask for a higher price, because that type of access, if you think about the way that a criminal could use that for ransomware, especially if it's not just one company that they're extorting, but multiple companies, nowadays ransomware goes even higher into the millions of dollars quite often. But at that time, tens of thousands of dollars per victim would make sense. So to sell that access for $600, that seemed a little off. Now, the other possibility is that this truly was a scam. They were putting up an offer that was too good to be true in hopes that somebody would buy it from them, and then it turns out that they wouldn't deliver any backdoor access at all, and they just run away with the money. That's something that happens on these criminal forums. So we considered that as well. But what we wanted at this point was just more information. - [Host] Attribution doesn't necessarily need to start out with finding the identity of the attacker. It's important to determine the capabilities of the attacker or attackers. Is this the target of opportunity or a directed, targeted attack? As we will see later, often the people selling the access are just middlemen in the criminal enterprise, and not the hacker themselves who gained the initial access. The easiest way to do this is to engage directly with them and get them talking. - [Randy] So we decided the first order of business was we were going to engage with this person. So we have a lot of electronic personas or online identities that we use to engage in these different discussions. So we picked one of those that was going to be useful on this forum, and we posed as a person with criminal intent who wanted to make use of this backdoor access. And we started a conversation with this person who had made the post, just trying to find out some more information about it. We didn't want to drive the price up but we did want to say, hey, look, we haven't seen you post before. You know, you haven't sold any of these before. You don't really have a reputation, and your price seems a little strange. And of course, the person who posted was eager to communicate, they wanted the money. The time of day that they were responding to posts gave us an idea about what time zone they were in and suggested that they might be in the western hemisphere, which was helpful. In the conversation and the interactive communication that we had with them, it was pretty clear that this person seemed to be a native English speaker or at least a very good writer of English and seemed to use American English slang. So we got a little bit of, at least a suggestion about where the person might be just from the conversation. And then of course, the person was eager to prove that they did have the access that they said that they had. And so they offered to share some screenshots as proof. The person, Wozniak, we'll just call them Woz for now, actually responded back pretty quickly, and indeed shared some screenshots. So what we were hoping was that, in the screenshot, there'd be something about it. Something in the metadata of the picture or in the picture itself. But in this case, the screenshots didn't give us much. Woz had gone through and redacted all of the important information that we would need to identify the MSP and had really satisfied us as far as the fact that they had this access. Pretty much the only thing they weren't giving up is the identity of the victim company itself. At this point, we had to come up with our next part of the plan and figure out what was going to be useful to identify the MSP going forward. - [Host] Warning the MSP is still the primary goal, but we now know that they are likely an American in the Western hemisphere with a dark web handle named Wozniak. They continue to try and lower him and gain more information while Wozniak just wanted to get paid without giving up the MSP. Eventually a controlled buy needed to take place to get the information on the MSP, but that comes with legal hurdles because if someone purchases valid credentials and they access the network without authorization, that is likely a violation of the Computer Fraud and Abuse Act. It's time to engage directly with the FBI. - [Randy] So our next step was actually to coordinate with law enforcement. This is something that's important for anybody that is in a security research position, anybody who tries to investigate what might be going on with criminal activity and engage in some conversations with people around that activity. So we reached out to the FBI office in Cleveland, Ohio, which is closest to where Binary Defense is located. We already had those relationships established. The company, before I even got there had a great relationship with the FBI, and it just so happened that the people that they talk to in the Cleveland office were people that I knew from my former employment too. So I had a nice jumpstart on having that trust relationship built already. We reached out and described everything that we had done so far, explained that our goal was to identify the victim and notify them so they could take some protective action, and said that we felt the next logical step would be to pay for access and to use that paid access to identify the victim. So the FBI conferred with the federal prosecutor, and described the whole situation, provided the screenshots that we had so far, and then got back to us and let us know that we had formal authorization. We had the ability to do this and not have any fear of prosecution, that even if it turned out that, you know, the MSP was upset for some reason that we would have that legal cover and that we were recognized as doing the right thing and working with law enforcement. So now we were off to the races. We had formal authorization. We had a piece of paper, we had some assurance that we were doing the right thing, and that that would not be misconstrued later on, at least by the law. - [Host] Waiting for the FBI and the federal government can sometimes feel like an eternity. Mr. Randy and his team need to stall Wozniak to prevent him from selling access to another buyer, which would have brought an untimely end to the operation. - [Randy] So, I mean, to mitigate that, we just kept talking to him. We just kept negotiating. We kept, you know, asking him a little bit more without making him too suspicious. We wanted to keep him on the line, so to speak. - [Host] Around the same time that the authorization from the FBI came in, the team at Binary Defense finalized their negotiations with Wozniak and settled on a price of $450. So working with the FBI, they now need to make a controlled purchase, which was authorized by authorities in order to continue on with the investigation. Wozniak wanted to be paid in Bitcoin, which is not unusual, as most criminals use anonymity of Bitcoin, along with the middlemen in order to keep it from being traced. This arrangement results in a reimbursement agreement between the FBI and Binary Defense for $450 in Bitcoin with Binary Defense turning over everything that they learned so that they can work with the United States attorney's office to increase the chances of prosecution after the investigation concluded. - [Randy] The way that it works with any criminal investigation starting, the federal prosecutor does not have to guarantee that they're going to prosecute. Sometimes what looks like a violation of federal law at the start of an investigation, turns out to be something a lot more innocent, or something that's not worthy of prosecution, and it's good to be able to just drop that case. But at this point, the prosecutor had said, yes, from what you've uncovered so far, this definitely looks bad. It looks like there is a violation of federal law that could harm an entity in the US, and so this is something that we need to take action on. - [Host] So it was good to have everyone onboard for this investigation. You're probably wondering if this process is as fluid as usual. It's certainly not. As I was saying before, there's usually a series of middlemen in the transaction that complicates this. So it was strange to see how easy it was to make the exchange. - [Randy] This direct transaction is a little bit unusual. Quite often, when people who are more experienced at selling backdoor access to companies sell that to another criminal actor, they will use an intermediary, or they'll use an escrow service. I don't mean like a legitimate above board company escrow service. I mean another criminal actor who's agreed to hold money and then receive the access details, and then verify that both parties have satisfied their obligation with respect to the informal agreement before releasing both the money and the access details to both sides. We transferred Bitcoin to the address that the threat actor gave us, that Wozniak provided in chat, and Wozniak confirmed through the blockchain that that transaction went through. At that point, as soon as the transaction went through, Wozniak shared the login details with us. And it was very fortunate that that was really all we needed to identify the MSP. As soon as they sent us the URL, the username and the password, it was really clear without having to even go to the site or log in that this belonged to a very particular MSP in the state of Georgia, or in the greater Atlanta area. So as soon as that came through, we provided that to the FBI. - [Host] Let's get back to the logistics of notifying the MSP in a legal and ethical manner. - [Randy] Normally what we would do, if we had just identified them without working with law enforcement, we'd just reach out directly to the MSP and let them know. And this is not for the purpose of selling them services. We're not trying to sell them the access to the information or dangle it. We're just doing the right thing and letting somebody know directly this is the information we have, this is where it came from. Here's everything, you can have it. - [Host] This is often a precarious situation for security companies, because a lot of companies present threats in attempts to win business, and that never typically ends well because it's often viewed as extortion. However law enforcement was involved, and that made it easier. - [Randy] Because the FBI was involved and they said, hey, listen, we can actually contact this Atlanta-based MSP through our Atlanta field office, and since it's not a client of Binary Defense and it's nobody that you had contact with before, we can just take care of that. They not only called but they were able to have an in-person meeting so that the owner of the MSP understood that they were not being scammed through this notification, that it was serious and that they should take some action. Now, it turns out later on, we found out that some other security companies had also seen this posting on the forum and had tried to get some information, and they had actually figured out who they thought the MSP might be, and they tried to notify them. Unfortunately, when they tried to reach out, the MSP didn't believe them. They didn't know who these people were. They thought that it was some kind of a scam and they didn't believe it. But when they got the notification from the FBI just a day later or so, that carried some weight. So in hindsight, it worked out really well. I'm glad that we had law enforcement involved. The MSP took it seriously, and they took the information including the username and password. That turned out to be key, not just to stopping the threat, but also to the ongoing investigation. The username and the password that were provided to us after we'd paid the Bitcoin to Wozniak actually rang a bell with the owner of the MSP. He was able to, you know, not only recognize the username, but also go back in the logs and get some strong evidence as to who had created that username. And it turned out that both the username and the timeline of creation, the log supported that a recently departed employee, somebody who had worked for his company, and who had been disgruntled and then fired, they had actually created this user account and used a name that suggested that it was them. - [Host] A disgruntled employee creating an account after being fired, a persona named Wozniak selling these exact same credentials on the dark web. Things are starting to line up. Now to determine if that fired employee is the same person as Wozniak. - [Randy] So at this point, our goal, Binary Defense's goal of warning the MSP, giving them the specific information rather than just, you know, hey, somebody says they've got backdoor access, well, now you're on the hunt to figure out what does that mean and where it is? Give them the specific information they need to close that hole. They were able to immediately revoke the authorization of that user account, and they could look back in the logs and see if anybody had logged in from that user account, from what IP address and what date and time, and what that account had done, what other activity they were responsible for. So the MSP had now closed the security vulnerability that they had, and actually it was the best possible situation. They determined nothing bad had happened to them or to their clients. Everything was safe. They were able to catch this in time. So really our job was done. At this point it belongs to the FBI. Now, one of the great things about our criminal justice system is that documentation is very open, and so I was able to not just rely on information that was shared with us from the FBI, but I want to be careful when I'm describing things on a podcast or telling other people that I'm not sharing any information that is private, so I'm just going to take the pieces of the story that were in the criminal complaint that is publicly available information from the federal courts in the northern district of Georgia. So from the criminal complaint, the next steps that the FBI took were outstanding. And this really sealed the deal as far as identifying who is responsible for this particular activity. First of all, they looked at the blockchain transactions for Bitcoin and realized that the address that Wozniak had had us send the $450 in Bitcoin to belonged to a US company called Coinbase, which is also based in the Atlanta area. And they were able to get information from Coinbase that the customer of Coinbase who owned the account that the Bitcoin had gone to had provided his real name, his social security number, a copy of his driver's license, and that matched up with the identity of the recently fired employee. So here's more facts leading to an even stronger conclusion about where that threat had come from. Next, they looked at where had the money gone when it left Coinbase, because the person responsible this had converted the Bitcoin into US currency, and had done so through PayPal and a bank account. The PayPal account and the bank account both belonged to this fired employee as well. And then they looked at the IP addresses that were used to log in to these online services, and found that the same IP addresses lined up between a Twitter account called Woz and the Chase bank account and the PayPal account, the Coinbase account, like everything lined up that they were coming from this IP address, which they also were able to identify the customer paying for the internet service was the same fired employee. So at this point, we have a very strong case. It is pretty obvious, everything is lining up that it was actually this, this person, Marquavious Britt, who had been fired by the MSP and still lived in the area. - [Host] We attribute Wozniak to a known individual. What else was he up to? A lot of cyber criminals have numerous side hustles going on in the digital underground. How was this individual taken down and ultimately arrested? - [Randy] So even though this identification through the investigation is ongoing, Wozniak himself, or Marquavious, does not know yet that he's been found out, right? He's still operating. As we thought would be useful, we maintained dialogue with them. So it turns out that he had a couple of other side hustles going on and he was increasing his criminal activity. First of all, he announced that he was developing his own custom ransomware, something that he was programming himself and that was going to be uncrackable and give people the opportunity to extort money out of businesses. And because we were already friends with him and we'd done business with him in his early criminal days, just a few months ago, he actually said that he would give us early access to this. So we were planning to buy that and do some reverse engineering of his malware and figure out anything that we could about ways to defeat his ransomware. At the same time, he also posted on the same criminal forum that he had gained access to tax filing records from another company, and he was willing to sell those for a much higher price, over $1000. And that seemed dangerous to us as well. It was something that could cause harm not only to a company, but to a lot of taxpayers, a lot of individuals who, you know, had no idea that their personal information was gonna be sold. So we were keeping law enforcement up to date with these developments as they were going on. Fortunately, just about the time that all of this was about to really get bad, when he was about to sell that information, before he had released his first version of the ransomware, that's the point when the FBI got a search warrant, raided his house, and we were actually in the middle of a chat conversation with him when he got arrested and his house was searched. So a very good end to that story, but our further investigation and our further conversations showed that if this guy wasn't stopped, he definitely was going to continue to be an increasing threat to everybody in the information security business. - [Host] Just like any crime, following the money is another critical aspect of rolling back attribution when the level of threat necessitates it. - [Randy] That money doesn't do them any good if they don't convert it into some currency that they can use. Even through Bitcoin transactions, it's still possible in many cases to follow that money and see who receives it. And then if that lines up and makes sense, and the other evidence supports that that was also the person who created the account and who had access to sell it, then that makes a very strong convincing criminal case. - [Host] Insider threat is a very real problem. And while you want to trust your employees, it's important to take the steps to prevent any opportunities for that to occur. - [Randy] Making sure that you've got security monitoring in place, having good rules for ingress filtering, all of those things that you should do, at the end of the day you do need to be able to trust your employees, and especially those who are administrator level access, and when those employees betray that trust, that can be really damaging to a company. - [Host] This is a prime example of when it's important to include the identity and attribution, as much as the methods and tactics around the attack. Many times crimes occur against enterprises with some type of insider knowledge, and being able to identify that insider knowledge is critical to protecting an enterprise reputation. With all the testimonies swirling around SolarWinds and how to handle communications or breaches, it's important to understand and illustrate how the MSP took quick action to remediate an issue that could have been a much bigger disaster. Imagine if access had been appropriately sold to a real actor, that real actor gained access to the MSP, and compromised all their clients. That would have been a full-scale breach, not a security incident like this one that was remediated quickly so an attacker couldn't spread. - [Randy] I think in the recent example of, you know, the FireEye breach and how transparent FireEye was with the whole community that it had happened, the details that were important and helping other people to protect themselves, that sets a great example for how any company should respond to a breach. It's difficult, you don't want to admit that something happened, but having a plan ahead of time and knowing, you know, what information you should share, how you should share it and when and with whom, And just having that timeline down, understanding that it is not your fault and that this type of thing can happen to anybody, and it's the way that you respond that really sets you apart and your company apart in terms of your ongoing reputation. I think the MSP did the right thing in coordinating with law enforcement, investigating, and then informing their clients when they needed to. - [Host] For security experts that think going to the FBI is the only means of gaining this level of attribution, that is often not the case. While Binary Defense and FBI did amazing work, listeners would be surprised what information exists in the wild or from vendor subscriptions. For example, I'd be interested to walk back the Wozniak dark net account name, the intel that was gained from direct engagement, information from the MSP, other breach data that is out there in the wild, different metadata streams, such as global net flow and mobile signal data and passive DNS, and rolling back his Twitter handle name Woz. I bet we could have came to the same conclusions. Brandy's final thoughts on attribution in enterprise were pretty spot on. - [Randy] Every company that I talk to wants to know attribution as far as how and why, because they need to be able to respond appropriately to make sure that it doesn't happen again. That's that's top of mind for everyone. What damage has been done? How do we respond to that? How do we keep it from happening again? The who is also important though, especially if it turns out that it was a former employee or maybe a current employee, I mean, understanding who was behind it when it's an insider threat is essential to stopping the future activity. Just like this case showed that if somebody who is engaging in this type of criminal activity is not stopped, they're going to continue causing more harm. I think that is fair to say with just about any criminal intrusion. I don't think I've seen yet somebody who just did one and then they were done. They almost always get better over time. They get more skilled as they gain reputation in these underground marketplaces, they can charge more because their word is believed or they have a greater reputation in the community. So these problems, if they're not stopped, do get worse, and that can affect the same company again, or it could affect more companies, sometimes business partners. So collecting enough information that can help support that attribution and then sharing that appropriately with law enforcement or authorities who can take the next step, who can look behind the accounts and get information about who might actually be behind this in real life, the hands on the keyboard, that's really critical to putting a stop to some of these threat actors. - [Host] A special thank you for Randy Pargman of Binary Defense for joining the show today. Thank you for listening to Know Your Adversary. Every other week we will bring you a new cybercrime attribution investigation that is representative of the work of Nisos operators past, present, and future. If you have any good stories to pitch, please reach out, as no two investigations are the same, and simultaneously fascinating how digital clues come together to bring context to crimes that victimize enterprise. For more information, please visit www.nisos.com. Thank you for listening.