Cybersecurity researchers have detailed the various measures ransomware actors have taken to obscure their true identity online as well as the hosting location of their web server infrastructure.
“Most ransomware operators use hosting providers outside their country of origin (such as Sweden, Germany, and Singapore) to host their ransomware operations sites,” Cisco Talos researcher Paul Eubanks said. “They use VPS hop-points as a proxy to hide their true location when they connect to their ransomware web infrastructure for remote administration tasks.”
Also prominent are the use of the TOR network and DNS proxy registration services to provide an added layer of anonymity for their illegal operations.
But by taking advantage of the threat actors’ operational security missteps and other techniques, the cybersecurity firm disclosed last week that it was able to identify TOR hidden services hosted on public IP addresses, some of which are previously unknown infrastructure associated with DarkAngels, Snatch, Quantum, and Nokoyawa ransomware groups
While ransomware groups are known to rely on the dark web to conceal their illicit activities ranging from leaking stolen data to negotiating payments with victims, Talos disclosed that it was able to identify “public IP addresses hosting the same threat actor infrastructure as those on the dark web.”
“The methods we used to identify the public internet IPs involved matching threat actors’ [self-signed] TLS certificate serial numbers and page elements with those indexed on the public internet,” Eubanks said.
Besides TLS certificate matching, a second method employed to uncover the adversaries’ clear web infrastructures entailed checking the favicons associated with the darknet websites against the public internet using web crawlers like Shodan.
In the case of Nokoyawa, a new Windows ransomware strain that appeared earlier this year and shares substantial code similarities with Karma, the site hosted on the TOR hidden service was found to harbor a directory traversal flaw that enabled the researchers to access the “/var/log/auth.log” file used to capture user logins.
The findings demonstrate that not only are the criminal actors’ leak sites accessible for any user on the internet, other infrastructure components, including identifying server data, were left exposed, effectively making it possible to obtain the login locations used to administer the ransomware servers.
Further analysis of the successful root user logins showed that they originated from two IP addresses 5.230.29[.]12 and 176.119.0[.]195, the former of which belongs to GHOSTnet GmbH, a hosting provider that offers Virtual Private Server (VPS) services.
“176.119.0[.]195 however belongs to AS58271 which is listed under the name Tyatkova Oksana Valerievna,” Eubanks noted. “It’s possible the operator forgot to use the German-based VPS for obfuscation and logged into a session with this web server directly from their true location at 176.119.0[.]195.” Read more: https://bit.ly/3yI8N1b
You can also read this: TikTok Assures U.S. Lawmakers it’s Working to Safeguard User Data From Chinese Staff