Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

6/3/2015
03:00 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

'Adversary Intelligence' Finds Criminals Not As Smart As Their Code

The adversary using the stealthy Rombertik malware wasn't nearly as stealthy.

Just because a malware sample is a sophisticated doomsday device doesn't necessarily mean the adversary using that malware is a sophisticated attacker bent on destroying the earth. That "adversary intelligence" -- knowledge about the adversary's capability and intent -- is essential to making decisions about how to properly prioritize and defend against threats, according to research released this week by ThreatConnect

Last month, researchers at Cisco Talos, Symantec, and BlueCoat Labs were all digging into Rombertik (a.k.a. Carbon Grabber), malware that had, among other things, impressive anti-analysis capabilities -- it would destroy the master boot record if it detected it was being analyzed or debugged (or, as Symantec theorized, possibly if the Rombertik authors detected that their criminal customers were trying to exceed the permissions of their Rombertik licensing agreement).

Sophisticated tech. Very desirable for anyone who wants to keep nosy security teams and forensics investigators at bay. However, when ThreatConnect started to poke around to learn more about the adversary using Rombertik, they discovered that he wasn't nearly as discreet as his malware would indicate.

"It wasn't hard in any way to figure out his intent," says Rich Barger, chief intelligence officer of ThreatConnect.

The goal, says Barger, was "get rich quick." And the culprit was 30-year-old Kayode Ogundokun, a.k.a "KallySky," from Lagos, Nigeria -- a city with a growing wealthy class driven by the get-rich spirit. He was very active on Facebook, Twitter, LinkedIn, Blogger, and on YouTube, where he gave tutorials on using some of these attack tools.

According to ThreatConnect, "In fact, Ogundokun has done very little in the way of operational security (OPSEC). His efforts in covering his tracks have been minimal to non-existent."

In his YouTube tutorials not only does KallySky recklessly share his email address and phone number, but he even reveals passwords in cleartext and shares his bank account information. According to ThreatConnect "his tutorials clearly underscore his lackluster technical prowess." Also:

Ogundokun’s skillset appears to be limited to using commodity RATs and Botnets within email borne attacks and is motivated primarily on financial gain rather than espionage or ideological purposes.

The TCIRT assesses that Ogundokun likely purchased a new version of Carbon Grabber from a much more capable and sophisticated tool author, where the author subsequently sold or licensed it to the less capable operator. ... It appears as if this particular sample of Carbon Grabber was simply caught up in a headline grabbing story."

"Rombertik was 'the end of the Internet as we know it,'" says Barger, "and with new knowledge, we could shift that and say, this isn't the threat we thought."

Barger says that this kind of adversary intelligence can help security teams decide whether they really should drop everything and rush to address a new threat that moment, or if they should approach it differently.  "We can start making better decisions," he says, "at a technical level, but also at a strategic level."

There have been some debates within the security community about the importance, or lack thereof, of attribution -- who committed the attack. "That story can sometimes take years to develop," says Barger, but "We're attributing things all the time. It's just different levels of attribution." 

Although knowing the precise threat actor may take a long time, he says there is value to knowing some general information about the adversary's capabilities and intent -- and sketching out those basics and "chasing down the hype" may not take very long.

"It really depends," says Barger. "Some of them are really disciplined in terms of their [operational security]," and the cooperation of ISPs, national authorities, and other organizations can also affect how long it takes to develop the intelligence. 

Barger says that there is demand for this information. When the security team has to report that the organization has been compromised, "The boss always wants to know [by] who."

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Thomas Claburn
100%
0%
Thomas Claburn,
User Rank: Ninja
6/3/2015 | 5:53:51 PM
Re: The stupidity of evil
Sadly, evil often is not stupid enough to extinguish itself before doing damage.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
6/3/2015 | 4:47:51 PM
The stupidity of evil
My GoogleFu is failing me at the moment, but I remember reading years ago a piece by Dave Barry in which he posited that evil was necessarily stupid on some level because if evil people were smart they wouldn't need to resort to evil to achieve their goals.

(Barry went on to posit that the one possible exception to his theory was Richard Nixon.)
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/6/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5595
PUBLISHED: 2020-07-07
TCP/IP function included in the firmware of Mitsubishi Electric GOT2000 series (CoreOS with version -Y and earlier installed in GT27 Model, GT25 Model, and GT23 Model) contains a buffer overflow vulnerability, which may allow a remote attacker to stop the network functions of the products or execute...
CVE-2020-5596
PUBLISHED: 2020-07-07
TCP/IP function included in the firmware of Mitsubishi Electric GOT2000 series (CoreOS with version -Y and earlier installed in GT27 Model, GT25 Model, and GT23 Model) does not properly manage sessions, which may allow a remote attacker to stop the network functions of the products or execute a mali...
CVE-2020-5597
PUBLISHED: 2020-07-07
TCP/IP function included in the firmware of Mitsubishi Electric GOT2000 series (CoreOS with version -Y and earlier installed in GT27 Model, GT25 Model, and GT23 Model) contains a null pointer dereference vulnerability, which may allow a remote attacker to stop the network functions of the products o...
CVE-2020-5598
PUBLISHED: 2020-07-07
TCP/IP function included in the firmware of Mitsubishi Electric GOT2000 series (CoreOS with version -Y and earlier installed in GT27 Model, GT25 Model, and GT23 Model) contains an improper access control vulnerability, which may which may allow a remote attacker tobypass access restriction and stop ...
CVE-2020-5599
PUBLISHED: 2020-07-07
TCP/IP function included in the firmware of Mitsubishi Electric GOT2000 series (CoreOS with version -Y and earlier installed in GT27 Model, GT25 Model, and GT23 Model) contains an improper neutralization of argument delimiters in a command ('Argument Injection') vulnerability, which may allow a remo...