Tech
Ransom leak portals far more secure than enterprise web apps
Black Hat One would hope that, after years of telling businesses to secure their systems, enterprises would have better web app security than cybercriminals do. But research presented at Black Hat this week suggests that’s not the case at all.
Vangelis Stykas, CTO and cofounder of penetration testing firm Atropos, told The Register that, in his experience of trying to hack web applications (his speciality), ransomware actors are far better at security than their enterprise targets.
“I’ve tested 135 [ransomware] websites, and I only found vulnerabilities in three of them,” Stykas told us in an interview preceding his Black Hat talk. That amounts to less than 3 percent of ransomware groups having vulnerable web applications, which are typically used by threat actors to dump stolen data and publish ransom notes.
“That’s not typical of businesses, where I usually find vulnerabilities in 40 to 50 percent of web apps,” Stykas added.
And that’s not great, is it?
BlackCat busted
For context, Stykas did manage to work his way into web portals controlled by some pretty high-profile groups, including ALPHV/Black Cat, as demonstrated in his presentation.
After days of continuous scanning of ALPHV’s C2 URLs to see which came online, Stykas told us he was able to get one of the servers to dump its documentation for clients and tasks, which in turn allowed him to dump the server’s tasks and create new ones. That server quickly went offline, but armed with knowledge of the group’s API gleaned from his intrusion, Stykas took action.
“I created a Python script that parsed the endpoint … I had to wait a couple of days [for it to come online], but after that I was able to extract 197 commands in two minutes,” he explained.
Stykas was then able to identify several ALPHV victims – including a couple of unicorns in the cryptocurrency space – whom he was able to contact to help them address vulnerabilities and prevent them being ransomed.
This was in January, Stykas said. By March ALPHV/BlackCat had imploded, pulled an exit scam and mostly vanished.
“I don’t want to take responsibility for that,” Stykas demurred, explaining that the high profile nature of the group made its life expectancy limited, especially after a failed December bust that put the crew on high alert. Still, “I think [my hack] put some added stress on them.”
Stykas also managed to bust into systems controlled by ransomware group Everest, who he said were running an outdated WordPress site on an end-of-life VertigoServ instance, allowing him to dump their entire database; and the group behind the Mallox ransomware family. In the latter case, Stykas was able to exploit a chat feature on the group’s leak portal to identify several members of the group and steal a decryptor.
Stykas told us he had snuck into a fourth ransomware group’s web portal, but wasn’t ready to disclose details just yet.
“The only bad thing during the past two years that I’ve been doing this is that I’ve started getting alerts from Google that government-backed attackers are working against me,” Stykas explained.
Not the best news to wake up to, but certainly indicative of getting cybercriminals worried.
Now could you PLEASE secure your systems?
It’s no surprise that ransomware gangs are better at securing their external-facing websites – after all, they’re filled with people either able to crack such sites or at least folks concerned they could be subject to the same abuses.
So while it’s definitely satisfying to turn cybercriminals’ tactics against them, hacking ransom websites might not be the most reliable way to counter threat actors.
“This could be fruitful if you were doing it as a government, or a company with lots of people,” Stykas told us – otherwise it’s probably just a waste of time. “I did this in my free time, and I assume I spent around 100 hours.”
In other words, please take a lesson from the criminals trying to bust into your websites and other internet-facing systems and lock them down. That, or accept the fact yours may be the next victim we write about as a warning to others. ®