sentrymba - s3-us-west-2. · pdf filecombos; or combolist; or wordlist each config needs a...
TRANSCRIPT
Mayank Dhiman, Principal Security ResearcherWill Glazier, Threat Intelligence Analyst
SentryMBAA PEEK INTO THE UNDERGROUND ECONOMY
[ table of contents ]
TABLE OF CONTENTS
Executive Summary 1
Sentry MBA Ecosystem
Glossary 2
How it works 3Experiment
Dataset 4
Results
Target industries 5Geolocation 6
Target sites 7
Economics 9
Conclusion 11
Target Alexa Rankings 8
Who are the attackers? 10
[ executive summary ]
1
EXECUTIVE SUMMARY
redential Exploitation attacks are a class of ATO (account-takeover) attacks where attackers test credentials from leaked credential dumps, at scale, against different targets (usually in parallel). These attacks do not exploit an application’s vulnerabilities -- they exploit an application’s authentication functionality.
Obvious questions which arise are: who is being targeted? how big is the problem? how do attackers monetize?
This report answers these questions by shedding light on the credential exploitation problem through delving into it’s underground ecosystem.
We analyzed one and a half years’ worth of data and communications in-volving 5 underground cracking forums which specialize in SentryMBA; the cybercriminal’s attack tool of choice for credential exploitation.
This comprehensive data gives us unique insight into the mind of the crimi-nal, giving us the expertise required to understand and combat the creden-tial exploitation problem.
C A minimum of 11,729 credential exploitation attacks were launched over the last 1.5 years against 1,853 targets.
98 of the Alexa Top 1000 websites were targeted. The majority of attacks were launched against websites in the Alexa 1k-10k range.
The top three target industries were Gaming (15%), Entertain-ment (9%), and eCommerce (8%).
78% of targeted websites were based in the US, followed by France, UK, India, Germany and Japan.
17,079 attackers are involved in this criminal ecosystem with an average of 30 joining everyday.
30% of all config files were posted by the top 10 attackers.
KEY FINDINGS
[ glossary ][ Sentry MBA Ecosystem ]
GLOSSARY
2
SentryMBA; or Sentry; or MBAThese are variants in the name for the same tool.
ConfigA “configuration” file is written against each target with instruc-tions for SentryMBA on how to login and how to differentiate be-tween failed and successful logins for that particular target. Writ-ing config files is one of the chief ways to monetize in this criminal ecosystem.
Proxyless; or Pless A config file is proxyless if no proxies are included with it.
Combos; or Combolist; or Wordlist Each config needs a list of credential combinations (usually, user-name password; or email password) required to launch credential exploitation attacks.
LeecherLeeching a config means copying a config from one site and posting it on another. A Leecher is the person involved in this activity.
Capture A SentryMBA config may contain an optional capture setting, which has instructions for “capturing” certain account information like account balance upon a successful login. This enables attackers to understand the value of a compromised account without logging back in again.
3
HOW IT WORKS
Pass-
LOGIN
LOGIN
Attacker procures a config file & stolen cre-dentials from the underground markets, and loads them into SentryMBA.
1 2 Attacker configures SentryMBA and launch-es the attack campaign.
[ how it works ][ Sentry MBA Ecosystem ]
Attack traffic is distributed through proxies, cloud pro-viders, and/or rented botnets to evade detection.3
Distributed attack traffic tests all the stolen credentials - returning those that work. The value in these accounts can then be com-promised manually or “captured” in order to be resold.
4
Combo List (stolen credentials)
+
(attack target)Config File
SentryMBA is extremely easy to learn and use, drastically lowering the barriers of entry for attackers like script kiddies.
PROXY
[ dataset ][ Experiment ]
4
DATASET
We analyzed popular underground cracking forums which focus on credential exploitation attacks and specialize in trading config files for SentryMBA.
These 3 forums have active SentryMBA communities, among other cracking activities like selling compromised accounts or other custom tools. These forums were primarily used for data validation purposes.
• 3,579 config files from 5 forums (1,853 from sentry.mba)
• Config files posted over a 11/2 year period (until May 2017)
• Analyzed 17,079 attacker profiles
• 326 API configs posted across the 5 forums -
representing nearly 10% of configs
sentry.mbaThis site is dedicated exclusively to trading config files for Sentry MBA. The site is quite active, and has been around since mid-2015.
1,853 configs
This is a very popular cracking forum that has substantial activ-ity for SentryMBA configs. Most configs on this forum are available for free upon registration.
crackingking.com
903configs crackingforum.com
316configs
crackingleaks.com
376configs
cracking.zone
131configs
Our dataset consists of a cross-section of the most popular SentryMBA specific cracking forums, allowing us visibility into a significant portion of the attacker ecosystem.
[ target industries ][ Results ]
5
77configs
$1.02avg cost
HOSTING
101configs
$1.12avg cost
SOCIAL NETWORKS
102configs
$1.47avg cost
VPN
TARGET INDUSTRIES
XXX137configs
$1.69avg cost
ADULT
148configs
$1.54avg cost
E-COMMERCE
8configs
avg cost$5.22
FINANCE
$1.51avg cost
168configs
ENTERTAINMEN
T
22configs
avg cost$4.27
HEALTHCARE
28configs
avg cost$2.74
EDUCATION
31configs
avg cost$1.59
BITCOIN
47configs
avg cost$0.90
SPORTS
51configs
avg cost$0.90
ADVERTISING
62configs
$5.77avg cost
RETAIL
65configs
$3.75avg cost
FOOD
271configs
$2.34avg cost
GAM
ING
67configs
$1.48avg cost
SOFTWARE
73configs
$0.89avg cost
CRACKING
The above industries are often targeted by Sentry MBA attackers. Included is the number and average cost of configs posted per industry.
All major industries are actively under attack. Some face a disproportionate volume of attacks such as Gaming, Enter-tainment & E-Commerce. Finance and Retail configs are the most expensive, and rare. This is symptomatic of SentryMBA being a script kiddie tool.
[ target geolocation ][ Results ]
6
GEOLOCATION OF TARGETS Targets are distributed across 42 different countries with US organizations hit the hardest (78%).
#1 USA 1,007
#4 India 60
#6 Japan 36
#3 UK 66
#2 France 82
#9 Sweden 10
#5 Germany 40
#9 Estonia 10
#7 China 20#8 Iran 13
[ target sites ][ Results ]
7
POPULAR TARGET SITES
335 Downloads
214 Downloads
134 Downloads 125 Downloads
290 DownloadsUniversal Email Access Checker
227 Downloads
* Reposted 41 times
884 Downloads* Reposted 25 times
314 Downloads* Reposted 22 times
289 Downloads* Reposted 19 times
137 Downloads* Reposted 14 times
115 Downloads 80 Downloads
Popular Streaming, Gaming and Social Networking web-sites are also attackers’ favorite targets.This may indicate most attackers are script kiddies.
[ alexa rankings ][ Results ]
8
TARGET ALEXA RANKINGS
Popular websites are also more popular among at-tackers. However, in terms of sheer numbers, these at-tacks are mostly targeted against mid-market targets.
AT A GLANCE...
10% Of the ALEXA Top 1000 have a SentryM-BA config available in the underground market
20% Of the ALEXA Top 100 are being actively targeted by configs.
184 The number of API configs available for download
11,729 Total number of downloads of SentryMBA config files
1,853
No. of unique targeted sites Total no. of config downloads
Alex Rankings
Attack Target DistributionTotal number of unique target sites on Sentry.MBA
The Top 5 Most Expensive Config Files:($35.00 - $50.00)
On sentry.mba config files are traded via the site specific virtual currency called gold coins. One gold coin is equivalent to $0.01 and can be traded via bitcoins. On other forums, there is often a section for free configs and a more selective premium config sec-tion, which can only be joined once the user’s reputation is high enough.
ECONOMICS
9
[ economics ][ Results ]
There were at least a total of 11,729 unique attacks launched over the past 11/2 years.
The average cost of a config is $1.73. Hence it is very easy for script kiddies to get started with these attacks.
The total amount which exchanged hands was $9,127.76. Hence the lucrative activity for attackers is not creating the configs, but taking over accounts.
Multiple factors contribute to the cost of a config, including: the “scarcity” of the config in underground forums, the value of an individual compromised account, the ease of selling these compromised accounts, the organization’s security de-fenses in place, the time required to write the config file, and so forth.
Config files are inexpensive, indicating that the barriers of entry are very low. In this ecosystem, the money lies not in config files, but elsewhere (likely selling compromised accounts).
[ sentry.mba attackers ][ Results ]
10
WHO ARE THE ATTACKERS? USER HIERARCHY
1 Administrator
4 ModeratorsModerate content & ban users....
6 VerifiersVerify config files & vendors....
68 VendorsCan post content (You just need to ping any of the Ad-mins/Moderators to become a vendor and pay $20) (This came into picture only after Feb 24, 2017. Before that anyone could post content).
+Normal Users
16,920
There are about 17,079 registered users on the Sentry.MBA platform. Of those users, only 390 have ever posted a config file, demonstrat-ing that a small subset of users are the most active. The top 10 au-thors posted over 550 configs, representing over 30% of all config files ever posted. The top author - a user by the name “Terbz” posted 116 config files.
The credential exploitation problem continues to worsen, as waves of attackers continue to join the forums. However, only a small proportion of them are responsible for most of the damage.
100
120
10/3/15 1/11/16 4/20/16 7/29/16 11/6/16 2/14/17 5/25/17
20
40
60
80
Number of new registered users
[ conclusion ]
11
CONCLUSIONS
With more than 11,000 attacks launched against 1,853 tar-gets, credential exploitation is a big problem. A vast variety of websites and organizations are under attack. If an organi-zation has user accounts, with any value associated with it, then it is a potential target.
The underground ecosystem is thriving with more than 17,000 attackers on a single forum with new attackers join-ing everyday. We analyzed only 5 forums and plenty more exist. With the rising number of leaked credential dumps, this problem is only going to worsen.
This is not a web-only problem. API endpoints are an emerging target. With 326 config files targeting APIs, repre-senting approximately 10% of config files.
The average cost of a config file is very low and attackers made relatively small sums of money by trading configs - less than $10,000. However, swarms of new attackers keep joining these forums. This indicates that the attackers are still profiting by launching credential exploitation attacks and selling compromised accounts. It is hard to estimate the value of the real damage caused by these attacks.
Stealth Security, Inc.® © 2017
®