Hackers’ Hall of Shame: The Top 5 Cybersecurity Facepalms

Blog Alias todayApril 22, 2024

Background
share close

In the world of high-profile hacks, the narrative often portrays threat actors as highly skilled and almost invincible adversaries. However, the reality we’ve encountered through our incident response (IR) work tells a different story. Not all threat actors are the criminal masterminds or uber 1337 hackers that they’re made out to be. In fact, most are downright clumsy. Here are the top 5 blunders we’ve witnessed that will make you rethink the image of cybercriminals.

1. The Case of the Domain Sinkhole

Imagine orchestrating a complex command and control (C2) operation only to forget one minor detail – registering the domain. That’s right, we’ve seen threat actors meticulously set up their infrastructure and then leave their crucial C2 domain available for anyone to snatch. It’s like planning a bank heist but forgetting leaving the keys in your unattended getaway car. 

2. Rclone Credentials on a Silver Platter

Rclone is a popular tool for data exfiltration, but it’s only as secure as the user is cautious. We’ve found instances where the threat actor left a text file containing Rclone credentials on the compromised machine. This oversight allowed us to delete the data before it could be used for extortion purposes. It’s akin to a thief leaving you a map to their house with a key at the scene of the crime.

3. The Open Door to the C2 Server

In one of our more surprising discoveries, we located a C2 server IP . Command and control (or C2) is the most common way that modern threat actors control the compromised endpoints they have access to. Once we traced down where that server was, we can a simple port scan on it and began to investigate open services. We were able to locate an open HTTPS service where the threat actors were hosting all of their files for the rest of their team to use. In that directory, we found a user folder that had a .bashrc file complete with login history to Cobalt Strike. The Bashrc is the output of all of the historical commands that have been typed into a command line on a Linux computer. It’s the digital equivalent of leaving your house keys in the door, inviting anyone to take a peek inside.

4. Ransomware in Name Only

Deploying ransomware is a common threat actor tactic, but we’ve seen cases where the malware merely changed file extensions without encrypting any data. Some quick scripts to change file names and we had them back in business. It’s like a kidnapper sending a ransom note for a mannequin – there’s no real hostage.

5. AnyDesk’s Accidental Open House

AnyDesk is a legitimate remote desktop tool that can turn malicious in the wrong hands. We’ve found login scripts for AnyDesk left on machines, which not only compromised the victim but also provided access to all the other victims, and even some of their own infrastructure. It’s like a bank robber dropping a binder with the map, plans, and keys for all of the other banks they are robbing. 

These are just the top five of the worst offenses we’ve seen hackers do from recent events. While threat actors can cause significant damage, they’re not infallible. These examples show that even in the shadowy world of cyber threats, human error can turn the tables. So, keep your eyes peeled and your smarts about you – that’s our real secret sauce in the cybersecurity world.

Written by: Alias

Rate it

Previous post

Similar posts

Blog Alias / November 22, 2024

Critical Security Alert: CVE-2024-10924 and the “Really Simple Security” WordPress Plugin

Hello everyone, As a penetration tester and security engineer, I want to bring to your attention a critical vulnerability that demands immediate action. CVE-2024-10924 impacts the “Really Simple Security” WordPress plugin, and addressing it should be your top priority if this tool is active on your website. Key Information CVE-2024-10924 affects versions 9.0.0 through 9.1.1.1 ...

Read more trending_flat