In the world of high-profile hacks, the narrative often portrays threat actors as highly skilled and almost invincible adversaries. However, the reality we’ve encountered through our incident response (IR) work tells a different story. Not all threat actors are the criminal masterminds or uber 1337 hackers that they’re made out to be. In fact, most are downright clumsy. Here are the top 5 blunders we’ve witnessed that will make you rethink the image of cybercriminals.
1. The Case of the Domain Sinkhole
Imagine orchestrating a complex command and control (C2) operation only to forget one minor detail – registering the domain. That’s right, we’ve seen threat actors meticulously set up their infrastructure and then leave their crucial C2 domain available for anyone to snatch. It’s like planning a bank heist but forgetting leaving the keys in your unattended getaway car.
2. Rclone Credentials on a Silver Platter
Rclone is a popular tool for data exfiltration, but it’s only as secure as the user is cautious. We’ve found instances where the threat actor left a text file containing Rclone credentials on the compromised machine. This oversight allowed us to delete the data before it could be used for extortion purposes. It’s akin to a thief leaving you a map to their house with a key at the scene of the crime.
3. The Open Door to the C2 Server
In one of our more surprising discoveries, we located a C2 server IP . Command and control (or C2) is the most common way that modern threat actors control the compromised endpoints they have access to. Once we traced down where that server was, we can a simple port scan on it and began to investigate open services. We were able to locate an open HTTPS service where the threat actors were hosting all of their files for the rest of their team to use. In that directory, we found a user folder that had a .bashrc file complete with login history to Cobalt Strike. The Bashrc is the output of all of the historical commands that have been typed into a command line on a Linux computer. It’s the digital equivalent of leaving your house keys in the door, inviting anyone to take a peek inside.
4. Ransomware in Name Only
Deploying ransomware is a common threat actor tactic, but we’ve seen cases where the malware merely changed file extensions without encrypting any data. Some quick scripts to change file names and we had them back in business. It’s like a kidnapper sending a ransom note for a mannequin – there’s no real hostage.
5. AnyDesk’s Accidental Open House
AnyDesk is a legitimate remote desktop tool that can turn malicious in the wrong hands. We’ve found login scripts for AnyDesk left on machines, which not only compromised the victim but also provided access to all the other victims, and even some of their own infrastructure. It’s like a bank robber dropping a binder with the map, plans, and keys for all of the other banks they are robbing.
These are just the top five of the worst offenses we’ve seen hackers do from recent events. While threat actors can cause significant damage, they’re not infallible. These examples show that even in the shadowy world of cyber threats, human error can turn the tables. So, keep your eyes peeled and your smarts about you – that’s our real secret sauce in the cybersecurity world.
Inc. Magazine, based in New York, recently announced that Alias Infosec, a leading cybersecurity and digital forensics company, is No. 2,068 on its annual Inc. 5000 list, the most prestigious ...
