AlphaBay Market: Lessons From Underground Intelligence Analysis - SANS CTI Summit 2018

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
(applause) - I'm a threat intelligence analyst at iDefense, part of the Threat Hunting, OSINT, and Reconnaissance team, and we specialize in targeted attacks and underground research. So this is my first time here at SANS and at CTI, so please be gentle, but generally we're gonna be talking about the role that underground intelligence plays within part of a threat intelligence program, and we're gonna look at it through the context of a deep-dive look at AlphaBay Market, which was, until recently, one of the largest criminal underground markets. So, for a background, I really came into Threat Intel by a quite an unorthodox route, in that I don't have a technical background. I'm a massive tech geek, which is unsurprising in this venue, but I came at this from a War Studies perspective. I've originally studied under Thomas Red doing intelligence studies at grad school, and I'm really passionate about actually looking at organizations and how they function. So thinking about their culture, their networks, and what drives them, what are their incentive structures, and how does that help us determine their future and behavior as adversaries? So, I'm gonna try and show how we can bring these aspects together with threat intel. So just as a baseline, so everyone knows what we're talking about when we're talking about underground intel. Underground intel is probably one of the oldest elements of threat intelligence in the sense that there's always been underground criminal communities there have been people trying to break into them. So, some of you might have read Mischa Glenny's book on the topic Dark Markets, which is essentially talking about how the FBI infiltrated English and Russian language criminal communities in the 2000s. Yeah, this has been going on for quite a long time. And generally, you're using underground intelligence because you're trying to provide visibility into underground criminal activity, and what are the actors actually planning there? What's their intent? What tool sets are they using? And you know, what's their future development? And there's really three main aspects to underground intelligence, and they obviously interrelated, and they feed into each other. So, first of all, you have human intelligence. That's engaging with actors directly, trying to develop sources, it's trying to actually infiltrate the communities in the first place and developing a persona through engaging these people. Someone that they'll recognize over time. You're also conducting open-source intelligence you could be using Huis data, you could be pulling from social network data, or you could be looking into government records and trying to tie people- their digital identity to their real world identities. And then, finally, you have classic cyber intelligence. Indicate there's a compromise, reverse-engineering malware, and all of these things, they feed together and they're trying to give you context to inform your defensive operations. What are the pros and cons of underground intelligence? Here we're going to try and actually do some real talk as opposed to just vendor speak about what is the value of underground intelligence, because there is a lot. First and foremost, you're using underground intelligence to try and get to know your community. Get to know the people who are targeting your organization. And this is primarily going to be done by the cyber-criminal underground of financially motivated actors because in all honesty, there isn't a huge amount of underground activity surrounding cyber espionage. There are in certain communities in certain countries and certain regions, but generally it's overwhelmingly financially motivated cyber crime. And what you're trying to do is, you're trying to identify the clusters of this activity and trying to find clusters of activity that are most relevant to your organization or your vertical. Now, ideally, what you want is to be able to identify activity at a relatively early stage. It could be, someone is trying to put together a plan to attack your organization, they are trying to obtain certain tools for it, and that's the ideal scenario. When you're coming in right at the beginning and you're starting to see a plot evolve. But generally, a lot of what you see is suboptimal outcome which is actually, we're seeing it right to the end. Where we're seeing a threat to the organization in the form of someone selling or spinning off the results of their activity. If you work in a financial, and you've ever been part of a fraud investigation team, if you've ever spent any time with cyber-criminal underground, you're going to be seeing a hell of a lot of this stuff. People selling bank accounts, people selling credentials or whatever, but generally that's often the most highly visible aspect of underground intelligence. In terms of the value that started off with the risk of underground intelligence, compared to other parts of threat intelligence, underground intelligence is fairly high-risk, in the sense that this is a community that knows that it's been infiltrated a lot of the time, it's not a secret anymore that Brian Krebs is hanging out in these places and has many Russian pseudonyms. There's a lot of journalists as well as Krebs, there's threat researchers, and there's law enforcement all over the place. The people who form these communities know that their infiltrated, you are part of their threat profile. Do not expect them to act, unless they're incredibly stupid, which some of them are, but generally do not expect them to act as if they don't know they're being watched. They know they're being watched most of the time. Actually, underground intelligence is really tricky because there is a huge amount of activity out there. There's thousands and thousands of these sources from different levels in terms of how easy they are to infiltrate and how easy they are to observe. That has a big lift, organizationally and technically, so you need to develop a collection system to grab all that data and ingest it, make sense of it. Often there's big language gaps, obviously everyone knows about how big the Russian underground is, but actually, knowing Russian is just the start of it. There's a very sophisticated dialect within these communities that takes time to get to know. Of course, there's the offset requirements because you can't just go into this from your company's ASN. You can't just go in on a corporate machine. You have to build tooling that will let you get into these communities and if the box is compromised, it doesn't come back to your organization. This is generally why when people go for underground intel, they go for vendors, because you're essentially offsetting the risk to a vendor, and there's nothing wrong with that. It's just the question of how you use that and are you realistic about the utility of that? A good way of thinking about cyber criminality is, think of it in terms of its operational cycle. This is similar, in a way, to thinking about the terrorist operational cycle, if any of you are from a counter-terrorism background. But generally, any normal criminal will have to go through these stages of thinking about what they actually want to do, how they're going to do it, what resources they need, and then actually going through and carrying out the operation and then carrying out the exploitation at the end and actually getting the financial gain from that attack. Generally what you see is the top two. If you're lucky, and you're observing underground activity, you can potentially see any part of this attack cycle. But realistically, you're most likely gonna see the very beginning, the target selection, and the very end, the exploitation. So that's something that the vendor space has a problem with is that it likes to sell to people the idea that it's going to give you total visibility into attacker activity and you're going to be able to see everything they're doing and everything they're talking about. Realistically, the actors' operational security and also, in terms of what they need from the underground will mean that you will not see that activity. You're most likely going to see the very beginning and the very end. Then we talk about practical examples. How should an organization actually operationalize underground intelligence? This is going further than just simply ingesting underground data like a feed, because that's entirely the wrong way to use this. Underground intelligence is most valuable when you can interact with the operation cycle of cyber criminals and then potentially mitigate that threat. Just say for example, you're a global hotel and resort operator, maybe like this one. You're trying to identify clusters of TTPs within particular communities that you know potentially could harm your organization based on your threat profile. Then, ingested through your underground feed, or whatever your process is, you see a guy who claims to be an employee of your organization, and he's offering inside access to the customer payment system for your company. Not for your company, but for an unspecified company. Obviously, that would be very interesting to you if you were on a threat intel team, or if you're a part of an instant response team. The value here is when you can actually reach out to that actor and try and work out, identify the threat. What's the credibility of the threat? Does it relate to your organization? Does it relate to someone else's organization? And you can use the three prongs, you can use the cyber intelligence, trying to see if you can, based on the conversation with the actor, can you isolate which machine is being compromised? Or are you able to use OSINT, are you able to see if the actor, you manage to get them to provide a screenshot demonstrating their access, because you're pretending like you're interested in buying it. Then you can potentially geo-locate the office that's been compromised based on the photo data. This is all very practical and can be done. This is what the value of underground intelligence is actually about identifying and mitigating a threat at the earliest stage you possibly can, rather than just observing something and noting it. Now we can talk about the fun stuff. Why are we talking about AlphaBay? AlphaBay is a really interesting criminal market. It was originally founded in December 2014 by a guy called Alpha02, that was his handle. We now know that his real name was Alexandre Cazes. He was a French-Canadian guy from the Quebec province. AlphaBay is very interesting because it wasn't just trying to be like any other marketplace. It was trying to do something different. It was trying to combine a Silk Road style marketplace with a much wider nexus of criminal activity. It was trying to plug in a quite sophisticated very large, mostly English-speaking criminal community with this marketplace. And it was very successful in doing that. By around June of 2017, we saw about 190,000 registered members on the forum alone. We took a look at AlphaBay and decided that this would be a great target for a strategic research project, strategic underground intelligence collection. Because what we really wanted to understand was how the market worked, and how did that relate to our customers? It was really good fun. AlphaBay is actually a really interesting place to hang out, who'd've thought? It was a really good community to spend time in. You learn a huge amount about how the criminals actually operated, how they thought, what they're interested in, and we managed to complete the project and publish it on our platform about a day before it was taken down by law enforcement. So, we got lucky. Generally, AlphaBay, it was split into these two components. You had the primary marketplace, the image is a bit blurry, but on the left you can see this is search results for the malware section. There was a specific malware subsection. Most Silk Road style marketplaces do have malware, but AlphaBay was interesting in that it had arguably the most sophisticated and largest offering of malware on any tor accessible marketplace. In addition to that, it had the forum section, which was far busier and more lively and more sophisticated than any other forum section of any other marketplace. What happened to AlphaBay is basically, suddenly, it just dropped off the radar. It went dead. The website stopped resolving. Absolutely no one knew what had happened and there was an effort by the community to try and reach out to staff and find out what on Earth has gone wrong, disappeared with all our money. The AlphaBay staff members were, some of the junior staff members were saying "Don't worry, it's fine. We're doing upgrades." And after some days had passed, everyone was just like "It looks like they've just gone, they've exit scammed, they've ran off with all the deposited cash, so we're just going to go to Hansa." Hansa was the second biggest market at the time, and was pretty sophisticated in its own right as well. What people didn't realize is that these people were being steered into a trap. Because Hansa was being operated as a honeypot by the Dutch national police who'd seized it about a month before. As thousands of users started migrating from AlphaBay to Hansa, often in quite a rush, they were giving the Dutch police a huge amount of metadata on the users. They were just sucking people up. On July 20th of 2017, in a joint conference, police at the Dutch FBI snapped the trap shut, announced both markets had been seized and it sent absolute shock through the community that this had happened. The idea of one marketplace going down, that's the game, that's how this goes. But two marketplaces at the same time, in a coordinated operation, no one thought the police were that smart. How do we actually get to that place? Well, it turns out that while Cazes and his crew had run a pretty tight shop, it was a pretty sophisticated marketplace in terms of operational security as well, it also made a pretty crucial mistake at a pretty early stage of setting up the marketplace. Cazes had actually sent out a "Welcome to AlphaBay" registration email and, buried in the headers of that registration email, it had the email address "pimpalex_91@hotmail.com". So once the FBI saw that, I think it was about two years later they found that, there was collective head-slapping all around. And the whole business started to untangle. They managed to locate his server farm in Canada, in his hometown, which, again, pretty disappointing. And when they raided his house in Thailand, he was living in Thailand at that point, they actually found everything laying out in plain text on his computer. Absolutely everything. The crown jewels, all the wallet, all the keys, everything. And, just for future recommendations, if anyone here is thinking about running a marketplace in the future, I wouldn't recommend having a personal net worth document stretching out all your assets around the world on the same computer that you run your criminal marketplace. Pro-tip. But, do you know who did exactly the same thing? Dread Pirate Roberts. He did exactly the same thing. The Silk Road founded exactly the same way. I can't even, I just don't understand. What does AlphaBay actually tell us about underground intel and why underground intelligence is used for? So what we've found is that AlphaBay gave us a huge amount of visibility into the actual operational planning of a big network of cyber criminal operators in the English language, who tended to be in the kind of low-skill, in English we would call them like barrow boys, people who are just trying to find any kind of job they can to make a bit of cash, to people who are marginally sophisticated or are fairly specialized in certain areas of fiscal fraud. But there's also a pretty strong relationship between AlphaBay and the Russian underground community as well. AlphaBay was actually acting as a bridge between these two communities. And that was a deliberate decision by the operators of the marketplace, who were actually pretty sophisticated cyber criminals in their own right. Again, this is something that distinguishes AlphaBay from other markets, in that AlphaBay is run by- was run by a coterie of really spphisticated cyber criminals. People who had years od experience, and they knew exactly what they were doing. Further evidence of their sophistication is their financial model, which we found significant evidence to suggest that AlphaBay was more than just a marketplace, it was actually a multi-tier financial scam involving crypto-currency manipulation. We're going to be talking about that in a bit more detail. This phrase I think really helps encapsulate what the scene of AlphaBay was like, in that it felt like Reddit, but it was for criminals. It was highly social, it was full of people just talking absolute nonsense most of the time, coming up with the most ridiculous ideas on how to make money. I remember seeing one guy asking for help trying for someone to come and chop down his neighbor's tree because he didn't want to be caught doing it. Just totally bonkers stuff like that. But generally, you had a really wide selection of people with different skillsets all trying to find each other and then potentially make some money out of that partnership You had people like the insiders, so there was quite a lot of people offering insider services to banks or to retailers, "I can hook you up, get past fraud protection systems." And you also had people who were offering, they could set you up a fraudulent company, a front company to launder stolen money through. You had people who specialized in business email compromise. Really wide skillset. And obviously a lot of them were idiots, but still, a significant contingence were good. Now, an example of the kind of tactical output that you got from these kinds of interactions, and just by getting to know the community there and interacting with them, we were actually contacted by a criminal gang based in the south of Europe . What they were, they were a physical criminal gang, like a regular good old-fashioned criminal gang. And what they were looking for on AlphaBay was someone who could hook them up with some malware. So they had physical access to several companies' internal networks, we think that they may have been contractors or may have people in as contractors within the company. What they were trying to do is find someone who could provide malware for them that then they could install into those networks using their insider access and then they can expel all the data out, sell it, then profit would be split with the specialist who could provide them with the malware. Pretty interesting stuff. Based on this interaction, where we were able to speak with the actors and get to know them and pin down what they were trying to do, then we're able to pass that intelligence off to the companies who are actually being targeted. Now, because this is a public talk, we've had to change some details to protect the victims, but generally, this is the gist of what happened. That's the point is that, it's going beyond- if we had simply reported that we'd seen some people looking to buy malware, that wouldn't be very interesting, so all the steps beyond that of actually reaching out and connecting the actors, working out what they want . That gives you the killer piece. So the Russian connection of AlphaBay is a really interesting one and not just for the first reason I outlined in terms of a bridge, but also, they were trying to use their connection to Russia as an OPSEC measure. So, explain a bit how that worked. First of all, they would tell people that sale of Russian personal data and financial data was banned on the market, that you couldn't sell it on the market. Also, they regularly reached out to people on the Russian underground saying "this is a great place to hawk to English speakers." We actually saw direct evidence of them reaching out on some top tier Russian underground forums saying "Come to AlphaBay, it's a really good place to sell in both English and Russian." But something doesn't make sense here, because we know now that Cazes was based in Canada, or at least his infrastructure was, and he lived in Thailand, so why were they trying to ban the sale of Russian data? There's a common characteristic of a lot of Russian underground forums. So what we think they were trying to do is pose as that they were based in Russia, they were trying to essentially mislead people that they were based in Russia. This is the tagline for the admin account run by Cazes. It says in Russian, I can't speak in Russian, so I'm butchering it, but it means basically "Be careful, brothers." Ooh, spooky Russian mafia. Very interesting. I think, ultimately, they're playing a double game here, because they're trying to persuade everyone that "Yeah, we're spooky Russian mafia, don't bother coming after us because we've located all our infrastructure in Russia." They actually explicitly said that on the forum several times, that we now know is likely to be untrue. But we think that there also was quite a strong relationship between the admins and the staff, and the CIS region, the Russian Commonwealth of Independent States region. Some evidence suggests that several of the staff members were based there, or had been based there originally, and did speak Russian. AlphaBay's financial model is particularly interesting and sophisticated in comparison to it's adversaries, or competitors, rather, in that it incorporated the usual Escrow system for a market, but in addition, it had an automated credit card shop, so if you've ever seen any usual credit card auto shops like Joker Stash or whatever, it had one of those built into the market for the credit card sellers, bulk credit card sellers. It also had a mixer built into it, so you could mix your crypto-currency within the site without having to use an additional service. But that wasn't the end of it. The marketplace was part of a wider financial model, and they were very explicit about this. This is a direct quote from AlphaBay's support account on Reddit, because they maintained several accounts on Reddit, just to keep in touch with their buyers, explaining why "Don't worry, AlphaBay's not going to exit scam because we have a much better idea." We think we've identified at least one root as to how they were doing this. AlphaBay was pretty innovative in that it was one of the first currencies to support a multitude of alternative cryptocurrencies in addition to Bitcoin. They ended up adopting two coins successfully, and it looks like they weren't able to complete the third coin integration at the end because they were seized. They actually managed to integrate Monero and Ethereum and then didn't manage to do ZCash. What we think that they were doing was, they were using the marketplace and the trade within the marketplace to actually try and influence the value of the coins themselves. We think the strategy went something like this. In the first step, you buy a lot of cryptocurrency that wasn't currently supported by any major marketplaces. It, at the time, was relatively obscure on the criminal underground. And then, what you do after that is tell people AlphaBay is now supporting this coin, and you should totally look at trading it, because this is obviously going to affect the coin's value. Then you see people start shooting into the market as people start to see a movement into the market. The currency is now supported among the underground. And congratulations, you just pumped up the currency that you previously bought. One example of where we think they did this is with the coin Monero. Monero is pretty massive now on the underground, it's a really popular underground coin, partly because it's relatively easy to mine with GPUs. It's really popular with miner malware and it's also staring to be integrated into ransomware. It's a coin that's trying to be harder to track than Bitcoin It's trying to improve on a lot of the benefits to Bitcoin for criminal underground uses. Before AlphaBay adopted it, it was relatively obscure. Around August 18th, the market cap was about 28 million. There's also not much trading activity, it's pretty quiet. On August 21st, a market called Oasis Market, which is smaller drug-focused market, announces support. That's interesting, they're the first ones to come in. There's a little bit of change in the price, but not really that much. Now, on August 22nd, AlphaBay announces support for the coin, and at the same time, they say, they said this specifically on the forum, "This is a really good time to invest in Monero." No winky face, but you can imagine the winky face. And as the coin is integrated into marketplace and completed there's a huge amount of trading. After that announcement, there was something like $61M of trade in 24-hours, that's one estimate from a guy. By the time they had completed the integration, the value's over triple. Over 300% increase in the value of currency. I think Monero now is worth about $5B so if you invested, based on an AlphaBay coin pick, you did pretty well. If you spent any time on AlphaBay, you might recognize this guy's distinctive turn of phrase and unique voice. This is someone who is a quite prominent voice on the forum. He called this out at the time, this was at the time of ZCash integration. As you can see, he says So, at least I'm not the only one saying it. This is actually an asset forfeiture notice that was released when AlphaBay, when Cazes was indicted and AlphaBay was shut down. This is just Cazes's personal holdings, this is not associated with the wallet infrastructure for AlphaBay, just from his personal wallets, he had 1,605 Bitcoin, 8,309 Ethereum, 3,691 Zcash, and an unknown number of Monero. They weren't able to work out how much Monero he actually had. Advertise the currency or not, make your mind up. There is some evidence that he was engaging in personal trading of the same currencies the marketplace was supporting. This is the rough valuation as of Sunday now, how much that was worth. He did alright, he did pretty well. So, what does AlphaBay actually tell us about underground intelligence? If you spend time in these communities, get to know these communities, you can learn a huge amount about the intent of cyber criminals and the development of their techniques, tactics, and procedures. It's a powerful capability, but it's a limited capability because you will never see all of it. You will only ever see a partial picture. It is something that should be incorporated into any mature threat intelligence program. There's no shame about using a vendor. This is something tricky, and it's hard to scale. Fundamentally, my message here is to try and go out there and get to know your community. Get to know cyber criminals that you identify as likely to target your vertical or likely to target your organization and that will really help inform your threat profile. Potentially, help resolve an incident. Thanks very much, and if you have any questions, hit me up. (applause)
Info
Channel: SANS Digital Forensics and Incident Response
Views: 12,656
Rating: 4.9302325 out of 5
Keywords: digital forensics, incident response, threat hunting, cyber threat intelligence, dfir training, dfir, learn digital forensics, learn computer forensics, forensic data, forensics artifacts, free digital forensics, free computer forensics, yt:cc=on
Id: XwBwuUg3fQc
Channel Id: undefined
Length: 32min 40sec (1960 seconds)
Published: Wed Jun 13 2018
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.