Insight into the World of Cyber Attack

Insight into the World of Cyber Attack

By Eva Prokofiev

Any mid-sized to large-sized organization with security ops continuously uncovers a wide range of cyber threats. Some of the things that are discovered are relatively innocuous, while others are downright devastating.

It is not uncommon, for example, for our researchers here at CyberProof to come across major databases with leaked information hosted on random servers. In fact, we’ve seen many incidents like these – most of them don’t make it into the media.  

Let’s have a look at a few of the expert methods that researchers use to uncover this and other types of information. 

Researchers find 43 million exposed addresses 

Earlier this year, a researcher from Vertek Corporation uncovered 43 million email addresses leaked by the command & control server of the Trik spam botnet. In this case, the researchers used automated data gathering techniques and found that one of the group behind this operation misconfigured its server and left its content accessible to anyone accessing the IP directly. 

A different method of finding similar information is using a technique of analyzing dedicated malware drop zones, i.e., A dropzone is a publicly writable directory on a server in the Internet that serves as an exchange point for keylogger data: the malware running on a compromised machine sends all stolen credentials to the dropzone, where the attacker can pick them up and abuse them.  

Alternative approaches to information gathering  

At CyberProof, we utilize several approaches to uncovering hidden information. Researchers and threat intelligence analysts monitor the Internet and Darknet for sources of information. For example, CyberProof’s team uses crawlers that automatically search the Internet for specific keywords. These crawlers are based on a variety of sources, e.g., Social media, Telegram hacker groups, QQ,s and Darknet sources like IRCs and marketplaces, forums, and file sharing platforms 

We also leverage CyberProof’s AI-augmented automation capabilities to find out in real time whenever someone is talking about any of our clients. This allows us to identify leaked information as it happens. For example, if a hacker on any forum, blog, or other platform speaks about a client and there’s any association with data dumps, exploits, or leaked information (in any language), CyberProof identifies it as soon as the attacker posts it. The automation is based on techniques using the Google search engine or others such as Yandex, Baidu, etc., which ensure that we’re not limited to a specific set of sources  and also allow us to cover the different platforms. 

Think like a hacker 

CyberProof makes use of in-house crawler tools to investigate whether clients have exposed information on their servers. Our researchers conduct advanced reconnaissance activities and investigate aspects of a client’s digital footprint externally – both from the classic threat intelligence perspective, and from a hacker’s perspective on the client. 

We’ve also developed a number of unique techniques that provide us with enhanced intelligence insights. For example, one of our crawlers searches for information within old communication protocols  which hackers sometimes use for storing and sharing information. 

We comprehensively map out and identify what assets the client has – domain names, external IP addresses, subdomains, and the technologies they use and more – and then perform reconnaissance activities, just as a hacker (potentially) would.  

These activities help us figure out the client’s vulnerable web facing assets, which commonly include: 

  • Misconfigurations within the servers of the client that potentially expose information 
  • Open directories of critical servers (like the file server) that use default credentials – giving hackers access to files 
  • Technologies with publicly available vulnerabilities that hackers could exploit and much more 

Threat Intelligence that board members will understand 

CyberProof’s goal is to provide each client with a complete and customized perspective on intelligence. Our goal is to let the CEO and CISO/CIO see the full picture and address any concerns by attacking the question of threat intelligence from two different points of view:  

  • A classic approach to intelligence  
  • Who is talking about me?  
  • Who is targeting me?  
  • Is anyone selling my information? 
  • A more targeted approach  
  • How do my digital footprint and assets look  in the eyes of malicious players 
  • What information would hackers be able to find If they targeted me, or my key executives and employees?  
  • How exposed and vulnerable am I 

Most intelligence companies focus only on the classic approach to intelligence. It’s this proactive methodology that reflects CyberProof’s unique approach to CTI. 

This is the first in a series of posts touching on the different methods used by cybersecurity professionals when conducting technical research. 

 

Eva Prokofiev
Written by Eva Prokofiev
Sr. Intelligence analyst responsible for all the cyber Intelligence operations, reconnaissance and black box web app-testing, research of global and targeted threats, collection of data sources, analysis & production of on-demand exposure reports. Previously, worked as Security Researcher at White-Hat, where she actively did reconnaissance, black-box / white-box penetration testing for web applications, and also served as a SOC analyst and malware analyst for the health-care sector and.


Share this article