Subido por Maria Gonzalez Diaz

SentryMBA-eBook

Anuncio
SentryMBA
A PEEK INTO THE
UNDERGROUND ECONOMY
Mayank Dhiman, Principal Security Researcher
Will Glazier, Threat Intelligence Analyst
[ table of contents ]
TABLE OF CONTENTS
Executive Summary
1
Sentry MBA Ecosystem
Glossary
2
How it works
3
Experiment
Dataset
4
Results
Target industries
Geolocation
5
6
Target sites
7
Target Alexa Rankings
Economics
Who are the attackers?
8
9
10
Conclusion
11
[ executive summary ]
EXECUTIVE SUMMARY
KEY FINDINGS
C redential Exploitation attacks are a class of ATO (account-takeover)
attacks where attackers test credentials from leaked credential dumps,
at scale, against different targets (usually in parallel). These attacks do
not exploit an application’s vulnerabilities -- they exploit an application’s
authentication functionality.
Obvious questions which arise are: who is being targeted? how big is the
problem? how do attackers monetize?
This report answers these questions by shedding light on the credential
exploitation problem through delving into it’s underground ecosystem.
We analyzed one and a half years’ worth of data and communications involving 5 underground cracking forums which specialize in SentryMBA; the
cybercriminal’s attack tool of choice for credential exploitation.
This comprehensive data gives us unique insight into the mind of the criminal, giving us the expertise required to understand and combat the credential exploitation problem.
A minimum of 11,729 credential exploitation attacks were
launched over the last 1.5 years against 1,853 targets.
98 of the Alexa Top 1000 websites were targeted. The majority
of attacks were launched against websites in the Alexa 1k-10k
range.
The top three target industries were Gaming (15%), Entertainment (9%), and eCommerce (8%).
78% of targeted websites were based in the US, followed by
France, UK, India, Germany and Japan.
17,079 attackers are involved in this criminal ecosystem with an
average of 30 joining everyday.
30% of all config files were posted by the top 10 attackers.
1
[ Sentry MBA Ecosystem ]
[ glossary ]
GLOSSARY
SentryMBA; or Sentry; or MBA
Combos; or Combolist; or Wordlist
These are variants in the name for the same tool.
Each config needs a list of credential combinations (usually, username password; or email password) required to launch credential
exploitation attacks.
Config
A “configuration” file is written against each target with instructions for SentryMBA on how to login and how to differentiate between failed and successful logins for that particular target. Writing config files is one of the chief ways to monetize in this criminal
ecosystem.
Capture
A SentryMBA config may contain an optional capture setting, which
has instructions for “capturing” certain account information like
account balance upon a successful login. This enables attackers to
understand the value of a compromised account without logging
back in again.
Proxyless; or Pless
Leecher
A config file is proxyless if no proxies are included with it.
Leeching a config means copying a config from one site and posting it
on another. A Leecher is the person involved in this activity.
2
[ Sentry MBA Ecosystem ]
[ how it works ]
HOW IT WORKS
1
Attacker procures a config file & stolen credentials from the underground markets,
and loads them into SentryMBA.
2
Attacker configures SentryMBA and launches the attack campaign.
Combo List
Config File
Attack traffic is distributed through proxies, cloud providers, and/or rented botnets to evade detection.
PROXY
(stolen credentials)
(attack target)
3
+
4
Distributed attack traffic tests all the stolen
credentials - returning those that work. The
value in these accounts can then be compromised manually or “captured” in order
to be resold.
LOGIN
Email
Pass-
SentryMBA is extremely easy to learn and
use, drastically lowering the barriers of entry
for attackers like script kiddies.
LOGIN
3
[ Experiment ]
[ dataset ]
DATASET
sentry.mba
This site is dedicated exclusively
to trading config files for Sentry
MBA. The site is quite active, and
has been around since mid-2015.
We analyzed popular underground cracking forums which focus
on credential exploitation attacks and specialize in trading config
files for SentryMBA.
•
1,853
3,579 config files from 5 forums (1,853 from sentry.mba)
• Config files posted over a
• Analyzed
17,079
11/2
configs
year period (until May 2017)
attacker profiles
crackingking.com
903
configs
•
326 API configs posted across the 5 forums representing nearly 10% of configs
Our dataset consists of a cross-section of the most popular
SentryMBA specific cracking forums, allowing us visibility into a
significant portion of the attacker ecosystem.
This is a very popular cracking
forum that has substantial activity for SentryMBA configs. Most
configs on this forum are available
for free upon registration.
crackingforum.com
316
configs
crackingleaks.com
376
configs
cracking.zone
131
configs
These 3 forums have active SentryMBA
communities, among other cracking activities
like selling compromised accounts or other
custom tools. These forums were primarily
used for data validation purposes.
4
[ target industries ]
[ Results ]
G
IN
All major industries are actively under attack. Some face a
disproportionate volume of attacks such as Gaming, Entertainment & E-Commerce. Finance and Retail configs are the
most expensive, and rare. This is symptomatic of
SentryMBA being a script kiddie tool.
ENT
ER
TA
I
168
configs
configs
$1.51
avg cost
$2.34
ADULT
T
EN
271
NM
GA
M
TARGET INDUSTRIES
XXX
148
configs
avg cost
CIA
O
S
137
configs
$1.69
101
$1.12
configs
$1.47
avg cost
HO
VPN
67
73
configs
$0.89
RETA
IL
65
avg cost
configs
51
$5.77
configs
avg cost
$3.75
avg cost
$0.90
avg cost
avg cost
CR A
CKING
FOO
D
The above industries are often targeted by Sentry MBA attackers.
Included is the number and average cost of configs posted per
industry.
ED U C
47
configs
$1.48
STING
TS
SPOR
62
configs
configs
$1.02
avg cost
E-C
OMM
WARE
ERCE
SOFT
77
avg cost
avg cost
$1.54
KS
configs
102
avg cost
L NETWOR
AD V
configs
configs
$0.90
31
configs
$2.74
22
avg cost
configs
$1.59
BIT
COIN
$5.22
avg cost
$4.27
avg cost
ERTISING
N CE
8
28
configs
avg cost
FINA
ATION
avg cost
H EA
LTHCARE
5
[ Results ]
[ target geolocation ]
GEOLOCATION OF TARGETS
#9 Sweden 10
Targets are distributed across 42 different countries
with US organizations hit the hardest (78%).
#2 France 82
#9 Estonia 10
#8 Iran 13
#7 China 20
#5 Germany 40
#3 UK 66
#1 USA 1,007
#6 Japan 36
#4 India 60
6
[ target sites ]
[ Results ]
POPULAR TARGET SITES
884
Downloads
* Reposted 25 times
289
Downloads
* Reposted 19 times
134
Downloads
Popular Streaming, Gaming and Social Networking websites are also attackers’ favorite targets.
This may indicate most attackers are script kiddies.
335
Downloads
227
Downloads
* Reposted 41 times
125
Downloads
314
Downloads
* Reposted 22 times
214
Downloads
115
Downloads
290
Downloads
Universal Email Access Checker
137
Downloads
* Reposted 14 times
80
Downloads
7
[ alexa rankings ]
[ Results ]
TARGET ALEXA RANKINGS
AT A GLANCE...
Attack Target Distribution
1,853
20%
Of the ALEXA Top 100 are being
actively targeted by configs.
10%
Of the ALEXA Top 1000 have a SentryMBA config available in the underground
market
11,729
184
Total number of unique target
sites on Sentry.MBA
Total number of downloads of
SentryMBA config files
The number of API configs available for
download
Alex Rankings
No. of unique targeted sites
Total no. of config downloads
Popular websites are also more popular among attackers. However, in terms of sheer numbers, these attacks are mostly targeted against mid-market targets.
8
[ Results ]
ECONOMICS
[ economics ]
The Top 5 Most Expensive Config Files:
($35.00 - $50.00)
On sentry.mba config files are traded via the site specific virtual
currency called gold coins. One gold coin is equivalent to $0.01
and can be traded via bitcoins. On other forums, there is often a
section for free configs and a more selective premium config section, which can only be joined once the user’s reputation is high
enough.
There were at least a total of 11,729 unique attacks
launched over the past 11/2 years.
The average cost of a config is $1.73. Hence it is very easy
for script kiddies to get started with these attacks.
The total amount which exchanged hands was
$9,127.76. Hence the lucrative activity for attackers
is not creating the configs, but taking over accounts.
Multiple factors contribute to the cost of a config, including:
the “scarcity” of the config in underground forums, the value
of an individual compromised account, the ease of selling
these compromised accounts, the organization’s security defenses in place, the time required to write the config file, and
so forth.
Config files are inexpensive, indicating that the barriers of
entry are very low. In this ecosystem, the money lies not
in config files, but elsewhere (likely selling compromised
accounts).
9
[ Results ]
[ sentry.mba attackers ]
WHO ARE THE ATTACKERS?
USER HIERARCHY
There are about 17,079 registered users on the Sentry.MBA platform.
Of those users, only 390 have ever posted a config file, demonstrating that a small subset of users are the most active. The top 10 authors posted over 550 configs, representing over 30% of all config
files ever posted. The top author - a user by the name “Terbz” posted
116 config files.
1
Administrator
4
Moderators
6
Verifiers
68
Vendors
Moderate content &
ban users....
Number of new registered users
120
100
80
60
40
20
10/3/15
1/11/16
4/20/16
7/29/16
11/6/16
2/14/17
The credential exploitation problem continues to worsen, as
waves of attackers continue to join the forums. However, only
a small proportion of them are responsible for most of the
damage.
5/25/17
+
Verify config files &
vendors....
Can post content (You just
need to ping any of the Admins/Moderators to become
a vendor and pay $20) (This
came into picture only after
Feb 24, 2017. Before that
anyone could post content).
16,920
Normal Users
10
[ conclusion ]
CONCLUSIONS
With more than 11,000 attacks launched against 1,853 targets, credential exploitation is a big problem. A vast variety
of websites and organizations are under attack. If an organization has user accounts, with any value associated with it,
then it is a potential target.
The average cost of a config file is very low and attackers
made relatively small sums of money by trading configs less than $10,000. However, swarms of new attackers keep
joining these forums. This indicates that the attackers are
still profiting by launching credential exploitation attacks
and selling compromised accounts. It is hard to estimate
the value of the real damage caused by these attacks.
The underground ecosystem is thriving with more than
17,000 attackers on a single forum with new attackers joining everyday. We analyzed only 5 forums and plenty more
exist. With the rising number of leaked credential dumps,
this problem is only going to worsen.
This is not a web-only problem. API endpoints are an
emerging target. With 326 config files targeting APIs, representing approximately 10% of config files.
11
®
Stealth Security, Inc.®
© 2017
Descargar