Mitigating Threat Actors’ Shift Toward Automation

March 30, 2020 • Monica Todros

Researchers from Recorded Future’s Insikt Group have been tracking the increased use of automation by a variety of threat actors around the world. Similar to the way that legitimate businesses use automation to increase their efficiency and productivity, the bad guys have adopted various tools to help maximize their profits and scale operations. They’ve built a thriving underground marketplace, and there’s no sign that they’re slowing down.

Roman Sannikov, Recorded Future’s director of cybercrime and underground intelligence, joins our show to share Insikt Group’s findings.

This podcast was produced in partnership with the CyberWire.

For those of you who’d prefer to read, here’s the transcript:

This is Recorded Future, inside threat intelligence for cybersecurity.

Dave Bittner:

Hello everyone, and welcome to episode 152 of the Recorded Future podcast. I’m Dave Bittner from the CyberWire.

Researchers from Recorded Future’s Insikt Group have been tracking the increased use of automation by a variety of threat actors around the world. Similar to the way that legitimate businesses use automation to increase their efficiency and productivity, the bad guys have adopted various tools to help maximize their profits and scale operations. They’ve built a thriving underground marketplace, and there’s no sign that they’re slowing down.

Roman Sannikov, Recorded Future’s director of cybercrime and underground intelligence, joins our show to share Insikt Group’s findings. Stay with us.

Roman Sannikov:

So one of the things that we’ve been seeing and monitoring, one of the reasons that we’re putting out this research is that there’s been a tremendous amount of specialization in the underground economy and in cybercrime. So instead of having to do a lot of the things manually from scratch, threat actors can grab off-the-shelf tools, can go through a lot of the processes that they used to have to spend a lot more time on in a relatively automated and simple way.

And obviously what that’s done is, it’s made it easier and faster for a lot of the threat actors to carry out their campaigns. And at the same time, it’s democratized cyber crime to some extent, so that people who may not have been able to be engaged in something serious because they just didn’t have the technical skills to implement all the various tools that are necessary for an effective attack.

Now with a lot of those tools and services being available off the shelf and a lot of them being automated, it makes it a lot easier for people to become involved in this illegal activity.

Dave Bittner:

Yeah, it really strikes me that this is one of those examples that when there’s a demand for a service, someone will step in and fulfill that demand. Even if it happens to be in an underground criminal market.

Roman Sannikov:

Absolutely and one of the interesting things is that also not only are the services available, but as these threat actors have become more sophisticated and more specialized in specific tools, their customer service has improved.

Again, I remember when it was really a crapshoot when you bought a tool from a threat actor, whether it was going to work, to what extent it was going to work. Now they actually have customer support for many of the tools that they’re selling and they’re really concerned about the reputation of the tool and of their service.

Dave Bittner:

Well, one of the things that you do in your research here is you outline a variety of the types of tools that these folks are using that they can use to automate the various tasks. Let’s go through them one at a time together and you can describe to me what’s going on here. You start your list with breaches and sale of databases.

Roman Sannikov:

Right. We tried to do this in a somewhat narrative way so that it was a little bit easier to follow. The report that we’re putting up now is going to be the beginning of a series of reports that are going to go deeper into each one of these topics. So this initial report outlines the topics we’re going to cover, explains what their uses are and why they’re important, provides some technical and mitigation descriptions.

But then throughout the year, we’re going to publish fuller reports on each one of the topics. So we started out with breaches and the sale of databases because it’s one of the things that I think most people are most familiar with. So recently, a lot of people have heard about the Chinese hackers who were charged with the breach of Equifax.

So again, it’s one of those things that a lot of people are familiar with, but I think a lot of people don’t realize the real danger and what it is that the threat actors are really getting from these breaches and how at least on the criminal underground, how these breaches can be monetized.

So what we go into is again the type of credentials that are frequently found on these types of breaches, the way that these breaches are sold on the underground forums, various auctions and things like that. And then what they use that information for, how they can then move on and monetize and use it for example, for business email compromise, which is one of the most damaging forms of eCrime right now.

I think it was the FBI that put out that business email compromise has grown significantly over the last few years and is costing companies billions of dollars and a lot of that does start with information that is obtained from breaches.

Dave Bittner:

Is it fair to say that these breached databases are the fuel that drives a lot of these other things that are going on?

Roman Sannikov:

Absolutely. I think that is a really great analogy. They are the ones that a lot of the subsequent attacks and subsequent fraud, and the hacking and all of that start out with. So the breaches, like you said, they really are a good starting point for the rest of the cycle, so to speak.

Dave Bittner:

Well, let’s review some of the other ones that you list here. You talk about checkers and brute forcers.

Roman Sannikov:

Sure. So checkers and brute forcers are the tools that threat actors can then use once they have a database, for example. So one of the things that many of us are guilty of is reusing passwords. So frequently if they have access to information from a breach, they can then use that same login information at many different types of sites, at commercial sites, online retailers, and other types of sites.

So checkers are typically either universal, meaning they can check the credentials for validity across different platforms across different sites or frequently the better ones are the ones that specialize in a specific site.

So for example, if you have credentials that you obtain from a breach database and you want to check it against bank XYZ, see if this individual happens to be a customer at this bank or happens to, if you know that they’re a customer, because that information may have been in the breach as well, the breach data. If you want to check whether you can access, use those credentials to access that account, the checker is really the way to go.

With brute forcers, you can use the login, username, but you don’t have the password, but again the brute forcer will then try to crack that password so that at least if you have part of the information, you’re able to ultimately gain access to a variety of different sites, of different services. Again, using the databases, using the credentials from the breach databases as the fuel.

Dave Bittner:

Yeah. Some of the other ones you described here are I suppose self-explanatory, stealers and key loggers. I think most folks have a good sense for what’s involved there. One of them you described as banking injects, what’s going on with that one?

Roman Sannikov:

So banking injects is the term that they’re most frequently called, but essentially what it is, is an overlay. So this is where threat actors take a page, and it almost works like a skimmer, where they will take a page that they’ve created that redirects traffic to their own command and control server, but they place it over the legitimate page of a banking institution.

So the threat actor believes that, or it doesn’t even have to be banking in some cases it could be other institutions where financial information and login information is obtained from. But the individual believes, again, like a skimmer that they’re going to a legitimate ATM, legitimate bank page website.

They enter the information thinking that they’re entering their legitimate site and frequently they do, the bank inject or overlay is transparent. So once the information is collected like their username and password, they are redirected to the legitimate site.

So a lot of times they’ve provided information to the threat actor without realizing that they’ve provided that information to the threat actor.

Dave Bittner:

And of course these folks need to have their own infrastructure to run these services. And that’s where things like bulletproof hosting and proxy services come into play.

Roman Sannikov:

Absolutely. And bulletproof hosting, we’ve looked at the count and we have over 300 different services that provide this bulletproof hosting and the importance is, for the threat actors, is that obviously it takes some time to set up the infrastructure to host the malware, to collect the information that they’re obtaining from their victims. And that really the bulletproof hosting is the place where all of that is set up in a way that makes it more stable, more redundant. So whereas typical hosting companies, legitimate hosting companies, if they got complaints from law enforcement or from other services stating that their IPs that were hosted on their servers were involved in illegal activity, take down notices, for example, they would comply.

The whole point behind the bulletproof hosting is that they create, a lot of times either using paperwork or using redundant requests for information, they conduct a way to maintain the illegal activity to keep it going for a much longer time.

Sometimes indefinitely, because a lot of times the entity filing the complaint will eventually give up because of the, I guess you would call it red tape, that these bulletproof hosting put up in order to actually action any of these take down requests.

Dave Bittner:

Is this a matter that these hosts are physically located in countries that may turn a blind eye to this sort of thing?

Roman Sannikov:

Absolutely. A lot of times, bulletproof hosting is actually located on servers in various locations. So they can change the traffic from one to another. And a lot of times, again, they are located in countries that don’t have legal reciprocity with the U.S. or with Western European countries.

So basically there’s very little, a lot of times … That law enforcement or other organizations that are involved in taking down elicit activity on hosting services really have very little means of forcing these entities into complying.

A lot of times they’re actually, even if they are hosted in a country that does follow the law and thus have reciprocity, the actual servers are located in places that makes it difficult to access for law enforcement.

Dave Bittner:

One of the things you highlight in your report is that the actual marketplaces where the threat actors buy and sell these things, I mean there’s an element of automation with those as well.

Roman Sannikov:

Absolutely. Marketplaces have really sprung up in a sense, because again, because of this specialization. When threat actors who were involved in hacking or gathering information, they then obtained the information and they had to figure out how to monetize it. So a lot of times that in itself was a lengthy process and they had to go and find money mules. They had to find ways to do that.

As the quantity of the information that they were collecting increased, for example, we remember some of the big breaches from almost 10 years ago. Things like I think Home Depot and Target. The sheer quantity of that information that was gathered was so vast that it became easier and more cost effective for them to sell it in bulk to stores, these marketplaces, that would then resell it.

Or sometimes on some occasions they would get a share of the eventual profit, so that made it much easier and faster for the threat actors that performed the breach, that collected the information to gather that information. But it also made it easier for individuals who needed that information. For example, to obtain credit cards, you didn’t really even need to have a lot of knowledge about technical skills or anything like that. You could relatively quickly and easily get into some of these shops.

For example, we talk about Joker’s Stash, which is probably one of the preeminent credit card shops right now. And you could buy the credit cards, you could even get a lot of times the personally identifiable information of the user whose credit card you obtain. I believe they sell the PII for as little as $5 on Joker’s Stash.

And with that information, with the credit card information and with the address, email, phone number, you could place orders on legitimate websites using that stolen information. And one of the things that they’ve actually even done with Joker’s Stash is threat actors don’t even have to do that manually anymore.

They can actually set up an automatic, an option that allows them to buy things automatically as big new breaches come in, they can enter how much money they want to spend. So set it and forget it and then come in whenever you’re ready and grab those cards and away you go.

And one of the other things that they’ve also started implementing or not implementing, but making available on stores like Genesis Store for example, are the digital fingerprints of the victim machines. So here, not only because obviously a lot of the retailers and financial institutions try to mitigate these threats by implementing all sorts of anti-fraud measures.

For example, if you typically buy your product from an IP somewhere in the Chicago area or something like that, if you all of a sudden start buying something completely different from an IP in Eastern Europe or something like that, some red flags might come up, might be raised.

Whereas places like shops, like Genesis Store, they actually not only sell you the credentials that you need to login and to make those purchases, but they’re also, with a plugin that they offer on their site, they also give you the digital fingerprint of the victim machine where this information was obtained.

So you are basically masquerading as the victim and to the store it looks like you are the legitimate victim. You’re coming from the same area, maybe the same IP. Your machine looks identical, so you are using the same operating system. There’s cookies in your browser, and again, it really helps them circumvent a lot of the anti-fraud and makes it a lot easier and faster for them to actually monetize these credentials. As opposed to the manual way that they used to have to do it in the past.

Dave Bittner:

Yeah, it strikes me that it’s really a triple threat here through automation. I mean, they can increase the volume of attacks, they can increase the velocity of the attacks. But also the reliability of the underlying services to keep them up and running.

Roman Sannikov:

Absolutely. And again, I think one of the other things that is scary about this is because so many more of these things are automated or are off the shelf, so to speak, commoditized. Again, individuals for whom a technological knowhow may have been a barrier in the past, it may not be a barrier anymore.

That’s not to say that anyone can be involved in these things obviously, but the threshold to become involved in cybercrime has really been lowered by the availability of a lot of these tools. Again, in the past you had to develop your malware. You had to find loaders that worked with the malware. You had to find vulnerabilities that you could use to penetrate a system.

Now again, you have loaders that are readily available. You have encryptors that will package the malware and make it so that it’s much less likely to be spotted by an antivirus system. All of these things are readily available.

It’s not something that individuals have to develop and have to spend time on and it’s not something they’d really even have to understand very well. Because a lot of these services do a lot of that for you and provide detailed instructions on how to use those tools and services.

Dave Bittner:

Yeah, the report does a remarkable job of laying out all of the elements here. But what are the take homes in terms of organizations taking this information and then using it to better protect themselves? What sort of lessons would you like them to walk away with?

Roman Sannikov:

So with each one of the sections, we do have mitigation and obviously mitigation differs depending on what tool you’re looking at or what service you’re looking at. But I think what we’re hoping that the readers will take away is a better understanding of what the threat is. For example, again, we’ve heard, I think a lot of people have heard so much about breaches and databases, but really didn’t understand what that threat was.

The same thing with marketplaces, for example. We speak with clients who say, “Well, we see that some of our credentials are being sold on these marketplaces, but what does that mean to us? What should we do? How is that a potential threat, if it is a potential threat?”

And for example, on the marketplace is one of the things that we’ve been telling people is that they really have to focus on any domains that are internal domains that really, obviously everyone wants to keep their customers and their clients safe and secure. But a lot of the real damage actually comes from when their employees’ credentials are being sold on some of these marketplaces or being included in some of these breaches.

Because again, once you have access to … As more and more individuals are working remotely, they may be working from their home computer, they may be working from even someone else’s computer at home. We’ve even seen people logging in remotely from public computers and a lot of times that information is then gathered, intercepted by the threat actors and can be used for escalation of privileges, and to really penetrate the company or the entity and do some serious damage.

So I think the takeaway is really that they have to monitor this activity very closely. They have to scan through the breaches and to see if any employee credentials are available in any of these databases and then mitigate that as quickly as possible.

Same thing with a lot of the marketplaces and the log vendors, again to monitor especially for credentials to corporate networks, VPN, and things like that. And to try to mitigate that as quickly as possible.

Dave Bittner:

Our thanks to Recorded Future’s Roman Sannikov for joining us. The research is titled “Combating the Underground Economy’s Automation Revolution.” You can find it on the Recorded Future website in the blog section.

Don’t forget to sign up for the Recorded Future Cyber Daily email, where every day you’ll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at

We hope you’ve enjoyed the show and that you’ll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast production team includes Coordinating Producer Monica Todros, Executive Producer Greg Barrette. The show is produced by the CyberWire, with Editor John Petrik, Executive Producer Peter Kilpe, and I’m Dave Bittner.

Thanks for listening.

New call-to-action

Related Posts

Defending MacOS Against Sophisticated Attacks

Defending MacOS Against Sophisticated Attacks

August 10, 2020 • Caitlin Mattingly

Our guest today is Phil Stokes He’s a security researcher at SentinelOne, where he specializes in...

Making Security Real in the Context of Business

Making Security Real in the Context of Business

August 3, 2020 • Caitlin Mattingly

Our guest today is Shamla Naidoo, a managing partner at IBM Security With a career spanning over...

Ransomware Negotiations and Original Hacker Culture

Ransomware Negotiations and Original Hacker Culture

July 27, 2020 • Caitlin Mattingly

Our guest today is Sherri Davidoff She’s the founder and CEO of LMG Security, a cybersecurity and...