Jack Rhysider
Appearances
Darknet Diaries
135: The D.R. Incident
So throughout my life, I've had this recurring dream. It starts out with me being in my front yard, and coming down the street is a wild bull. It's typically white in color, and it's just on a terror, running around the neighborhood, smashing up cars, knocking down trees, trampling everything in its path. Nothing can stop it.
Darknet Diaries
135: The D.R. Incident
There are companies out there that try to classify every single IP address and domain name to try to determine if it's malicious or not. So if you see computers on your network contacting known malicious domains, then you can double-click on that and see what's going on. While he's scanning the network, I want to take a quick ad break.
Darknet Diaries
135: The D.R. Incident
But stay with us because you're going to want to hear what he found. Support for this show comes from Black Hills Information Security. This is a company that does penetration testing, incident response, and active monitoring to help keep businesses secure. I know a few people who work over there, and I can vouch they do very good work.
Darknet Diaries
135: The D.R. Incident
These are true stories from the dark side of the internet. I'm Jack Recider. This is Darknet Diaries. This episode is brought to you by SpyCloud. For some people, ignorance is bliss. But for you, as a security practitioner, that's not the case.
Darknet Diaries
135: The D.R. Incident
If you want to improve the security of your organization, give them a call. I'm sure they can help. But the founder of the company, John Strand, is a teacher, and he's made it a mission to make Black Hills Information Security world-class in security training. You can learn things like penetration testing, securing the cloud, breaching the cloud, digital forensics, and so much more.
Darknet Diaries
135: The D.R. Incident
But get this, the whole thing is pay what you can. Black Hills believes that great intro security classes do not need to be expensive, and they are trying to break down barriers to get more people into the security field. And if you decide to pay over $195, you get six months access to the MetaCTF Cyber Range, which is great for practicing your skills and showing them off to potential employers.
Darknet Diaries
135: The D.R. Incident
Head on over to blackhillsinfosec.com to learn more about what services they offer and find links to their webcasts to get some world-class training. That's BlackHillsInfosec.com. BlackHillsInfosec.com. Omar was scanning the Dominican Republic's DNS queries to see if anything unusual was going on.
Darknet Diaries
135: The D.R. Incident
Oh, no. A computer within the Dominican Republic government was connecting to a command control server, otherwise known as a C2 server, that is known to control systems infected by the Conti ransomware. This is bad. This indicates that the government is about to get hit. Someone has them in their crosshairs and just needs to pull the trigger.
Darknet Diaries
135: The D.R. Incident
And perhaps they're going to get hit as hard as Costa Rica got hit. Whoever was behind that attack on Costa Rica clearly had a lot of time and resources to make a very deep and wide impact there, crippling their systems and government. But lucky that Omar has such a keen eye and is tuned into the threats of his government so he can detect this early.
Darknet Diaries
135: The D.R. Incident
So he zoomed into this alert and he saw that, yes, in fact, a system did get infected and it reached out to the command and control server to download Cobalt Strike. Cobalt Strike is like a full suite of hacker tools. It's equivalent to finding a bad guy in your building and also finding his huge sack of tactical spy tools.
Darknet Diaries
135: The D.R. Incident
But because they spotted this, as it was unfolding, they were able to delete those tools and clean that system and start hardening that system so it doesn't get infected again. On top of that, with this newfound activity on their network, knowing that they're in the crosshairs of somebody, it was important to start alerting the users in the government agencies. Be on alert.
Darknet Diaries
135: The D.R. Incident
We are seeing some bad weather on the horizon. Be very cautious of any phishing emails. And please, please, please report anything suspicious to the security team. Thank you.
Darknet Diaries
135: The D.R. Incident
Okay, wow, so they were seeing a lot of phishing attempts. Emails posing as someone else trying to get users to click links, open zip files or attachments. And in every one of these emails, the attackers spoke perfect Spanish. This is really curious since a lot of these ransomware gangs would be coming from Eastern Europe or Russia.
Darknet Diaries
135: The D.R. Incident
They wouldn't have the ability to speak perfect Spanish on such a large scale with hundreds of phishing emails being written.
Darknet Diaries
135: The D.R. Incident
Bandook. Okay, if I Google Bandook malware, I immediately get an article saying that this malware gives remote access to a computer, and it was written by someone named Prince Ali who's from Lebanon in the Middle East. More specifically, the Bandook malware has been known to be used by a group called Dark Caracol. Well, that's what the EFF named them, at least.
Darknet Diaries
135: The D.R. Incident
And while we aren't sure exactly who they are, there are quite a bit of clues that lead us to believe that the Lebanese government is somehow behind this dark Caracol group. Now, I want to paint a clear picture for you.
Darknet Diaries
135: The D.R. Incident
Hundreds of phishing emails are flooding into different government agencies in the Dominican Republic, all of which are trying to get the recipient to open an attachment or click a link, which will infect them with this Banduk malware, which typically seems to be the work of this threat actor group called Dark Caracal. As Omar looked at these emails coming in, he noticed something even more scary.
Darknet Diaries
135: The D.R. Incident
So what happened here is that the attackers knew that the Dominican Republic was doing business with a certain company, and they infiltrated that company just to pose as people from there in order to trick the victims in the Dominican Republic government to open attachments.
Darknet Diaries
135: The D.R. Incident
I went to spycloud.com to check into my darknet exposure, and I won't tell you what it is, but spoiler alert, I found some things that are pretty eye-opening. From breach exposures to info stealing malware infections, knowing what criminals know about you and your business is the first step to setting things right.
Darknet Diaries
135: The D.R. Incident
I mean, this seems to be the start of a horror story where it feels like you're home alone at night and someone is throwing rocks at your window, at all your windows, at once, constantly pinging them. And you just know at any moment one of those windows is going to break. But there's just no way to secure everything at once.
Darknet Diaries
135: The D.R. Incident
It just takes one user in an agency to get infected, and then the attacker can jump off their machine to infect the whole agency. And for dozens of agencies to be attacked at the same time is horrifying. On top of that, the attackers are scanning web servers, looking for vulnerabilities, trying to find an exploit to get into the network that way.
Darknet Diaries
135: The D.R. Incident
So it's like endless banging on the doors and you know they're not going to hold. Where do you even put your attention in a situation like this? The bull is trying to get in your house and there's nothing you can do to stop it.
Darknet Diaries
135: The D.R. Incident
The hacker group Dark Caracal had successfully made their way into 30 different government agencies. And each came in through a different entry point too. And to see that this was coming, to know the bull was headed towards you, but to have no ability to stop it, has got to be one of the most terrifying feelings. The feeling of helplessness, despair, vulnerability.
Darknet Diaries
135: The D.R. Incident
Suddenly, a huge portion of the Dominican Republic government's network is now in the control of someone else? Someone you have no idea who they are, but maybe related to the Lebanese government?
Darknet Diaries
135: The D.R. Incident
Holy flip, critical infrastructures, things like power plants, water treatment facilities, dams. Disrupting or destroying these systems would absolutely bring this country to its knees.
Darknet Diaries
135: The D.R. Incident
Now, of course, Omar isn't working by himself on this when he says that he did all these things. It was obviously a team effort. And his team consisted of like seven or eight people. But then every agency in the government has their own IT department. And some, of course, are bigger than others. But everyone was working extra hours to help out.
Darknet Diaries
135: The D.R. Incident
But it just makes me wonder, you know, how robust is the Dominican Republic's cybersecurity? I mean, they may not be able to afford the most up-to-date network infrastructure, and they may be running old systems in place. They may not have the funds to employ high-quality employees to react to this.
Darknet Diaries
135: The D.R. Incident
Resetting stolen passwords and addressing the enterprise access points that have been stolen by malware helps you protect your business from ransomware, account takeovers, and online fraud. With SpyCloud, you have a trusted partner to fight the good fight with.
Darknet Diaries
135: The D.R. Incident
But when you're on the internet, it means you're only one click away for every threat actor in the world. So you absolutely need to secure your government's networks just as well as the largest governments in the world. Just because you're a small island doesn't mean you get to skimp on cybersecurity. You need to be just as good as everyone else. And it feels asymmetric in so many ways.
Darknet Diaries
135: The D.R. Incident
You have to be prepared for the most sophisticated threat actors in the world. And I just wonder, how advanced was the cybersecurity of the Dominican Republic?
Darknet Diaries
135: The D.R. Incident
C2 means Command and Control Server, but I mean, what? You're telling me that some advanced adversary who may be in the Middle East is now starting to install the Conti ransomware on these systems? This is boggling because Conti has been widely attributed to be from Russia. So first of all, why are these two groups even allies or working together?
Darknet Diaries
135: The D.R. Incident
Second, holy crap, you now have two sophisticated attack teams working together to attack your entire country, national agencies, and critical infrastructure? Just when you thought you were in the thick of the storm, the storm got worse.
Darknet Diaries
135: The D.R. Incident
The Dominican Republic was in trouble and Omar's job was to help.
Darknet Diaries
135: The D.R. Incident
Their automated solutions, which is built on over 350 billion recaptured assets from the criminal underground, ensure you're not in the dark when it comes to your company's exposure to cybercrime.
Darknet Diaries
135: The D.R. Incident
Now, this is what I love about Omar, is his awareness and his social skills. I used to work for a company doing incident response, and guess how much cybersecurity news my boss paid attention to? None. Guess how many other companies my boss interacted with to understand what threats they were facing? None.
Darknet Diaries
135: The D.R. Incident
The attitude in our company was to put your head down and do your work, not look around to see what everyone else is doing or meet other people in the field. And I hated that. I can't stress this enough, that having allies in this business and going to conferences and meeting people and sharing stories with them will help you do your job so much better.
Darknet Diaries
135: The D.R. Incident
So please, IT managers, stop thinking you're in some silo and your problems are just yours. Encourage and support your IT employees to go to conferences, meetups, talks, and workshops. It will help your business. Trust me. Omar has gone to conferences. You heard two of his talks at the beginning of this episode even. And he's gone to meetups and he's made friends across the sea in Costa Rica.
Darknet Diaries
135: The D.R. Incident
Specifically, it was the conference called FIRST where he met them. And you can learn more about this at FIRST.org.
Darknet Diaries
135: The D.R. Incident
While FIRST is just one conference in the world, there are so many more going on these days. In fact, I think any given week, you can find two or three security conferences going on somewhere in the world. So just Google cybersecurity conference near me and see what's coming up near you. And having these connections were very valuable in this situation. I mean, it was a force multiplier even.
Darknet Diaries
135: The D.R. Incident
Dominican Republic doesn't have the biggest cybersecurity incident response team in the world. And so knowing who to tap for help creates a battalion of people who can help you in different ways. One thing they did was compare their malware and indicators with other countries in Latin America to see who else has seen anything like this.
Darknet Diaries
135: The D.R. Incident
To get your full Darknet exposure report, visit spycloud.com slash darknetdiaries. That's spycloud.com slash darknetdiaries.
Darknet Diaries
135: The D.R. Incident
Then he started creating a playbook with help from other nations to start remediating this. Of course, he was also calling up security vendors, the people who made the software that was supposed to be securing his network. He'd call up and say things like, hey, we pay you to block these attacks and you didn't. Please help us fix it.
Darknet Diaries
135: The D.R. Incident
And of course, the security vendors want to make their tools better. So they wanted like a sample of the malware and what methods they used to get in. And we're working quickly to fix their software so they would be able to block these attacks from continuing. continuing. And this was happening on Windows machines. They were getting infected even though they were fully patched and updated.
Darknet Diaries
135: The D.R. Incident
So a call to Microsoft was important to show them what they were dealing with and to ask, how can you fix this? They were calling out to other network vendors too because their systems were compromised. And by the way, when you call up one of these companies to try to report a zero-day exploit, it's not easy.
Darknet Diaries
135: The D.R. Incident
The first person that you get, the first tier support tells you stupid things like, okay, sir, did you try rebooting the system? And you're like, come on, please, please, please, please, please connect me to somebody who knows what they're doing over there. And they simply cannot. So you need to ask for a manager. And then the manager doesn't know how to fix it.
Darknet Diaries
135: The D.R. Incident
And they don't want to admit that their software has vulnerabilities in it. So you go back and forth trying to troubleshoot it for days. It's tedious and time-consuming before they escalate it to the next tier support and eventually you get an engineer or a developer who knows this system inside and out and can recognize the problem and replay it and fix it right away.
Darknet Diaries
135: The D.R. Incident
It's just that that person is behind like eight layers of support tiers before you can get to them. Now there's this quote from Bruce Schneier that has frustrated me but also educated me on the reality of cybersecurity. The quote goes like this. You can't defend. You can't protect. The only thing you can do is detect and respond.
Darknet Diaries
135: The D.R. Incident
I get frustrated from that quote because I feel like we should be able to defend and protect. Why don't we have secure software that can do that? I mean, how many more years and technical advancements do we need before we can defend our networks? But the sad truth is we may never get there.
Darknet Diaries
135: The D.R. Incident
And so what Bruce is saying is we need to be assuming we're breached and to work on improving our ability to detect and respond to cyber threats. Somewhere in the middle of the storm, Omar realized that too. Instead of trying to build those walls up higher and higher to stop people from getting in, he needed to get better at detecting when they did get in.
Darknet Diaries
135: The D.R. Incident
This episode is sponsored by Delete Me. In episode 133, I spoke to Connor Tumbleson about some people from who knows where who were stealing his identity. Luckily, they weren't out to destroy his reputation or extort him, but think of the damage that could be done. We all have data out there, which data brokers use to make profit.
Darknet Diaries
135: The D.R. Incident
So he started installing more monitoring tools into the network so that he could watch more closely what was going on in there. And this allowed him to understand where Cobalt Strike was and spot it and the Bandook malware and Conti ransomware and Dark Caracal and where it was in the network and how it was moving around, giving him a beautiful view into which systems were infected.
Darknet Diaries
135: The D.R. Incident
There's now a third threat actor involved in this attack? Just before all this happened in the Dominican Republic, there was some crazy drama going on in the Conti ransomware gang. So Conti, we know, is based in Russia. And they came out publicly in support of Russia's invasion of Ukraine.
Darknet Diaries
135: The D.R. Incident
Anyone on the web can buy your private details to do anything they want. This can lead to identity theft, phishing attempts, harassment, and unwanted spam calls. But there's a solution called Delete Me. I tried it and they immediately got busy scouring the internet for my name and gave me reports on what they found. And they got busy deleting these things.
Darknet Diaries
135: The D.R. Incident
And then it, for some reason, turns and looks at me and I can tell it's coming from me. I mean, it's so wild. It's like falling down, tumbling, running into houses and stuff, trying to turn to come towards me. So I quickly run into the house, slam the door shut, lock it, and then go to the window to look to see what's going on.
Darknet Diaries
135: The D.R. Incident
Well, I guess someone close to Conti did not like this and decided to publicly leak 60,000 messages between the Conti group and other people. And these leaked messages showed that the Russian government had been hacking into places that just seemed to be in poor taste, you know, like hacking medical researchers.
Darknet Diaries
135: The D.R. Incident
So it's not a far-fetched to think that Conti may be working with the Russian government, or that the Russian government would be attacking smaller countries, sort of as a testing ground to practice their hacking skills. But I mean, an infiltration at this level really can pose as a whole new type of ransomware.
Darknet Diaries
135: The D.R. Incident
Like, just hypothetically, imagine a phone call from Putin to the president of the Dominican Republic where Putin could say something like, listen, we want you to support our war with Ukraine, and if you don't, we'll turn your whole country off. Because they can. With their hand in so many agencies, networks, and critical infrastructure, they could just shut down the Dominican Republic.
Darknet Diaries
135: The D.R. Incident
And that would be a form of ransomware, wouldn't it be? No, this was just a hypothetical. I have no idea if Putin has any relations with the Dominican Republic. At some point, do you contact the president and say, hey, we've got a really big deal. It's not just your normal malware, but this is a geopolitical problem.
Darknet Diaries
135: The D.R. Incident
Of course, attribution is very hard when it comes to cyber attacks. It's incredibly easy to hide in the shadows on the internet. So even though there are some things that point to this being Russia and dark caracol, How confident can you really be? Especially when you're on the phone briefing the president. Maybe someone else just got a hold of the Bandook malware or Conti ransomware.
Darknet Diaries
135: The D.R. Incident
Maybe someone wants you to think that it was those threat actors attacking you just to throw you off the scent. Because we've seen threat actors put in fake clues to do just that before. For this situation, there were a lot more questions than there were answers. If Dark Caracol is Lebanese-based, why would they be working with Russia or Conti?
Darknet Diaries
135: The D.R. Incident
Was this financially motivated or politically motivated? This attribution wasn't exactly clear, and neither are the motives.
Darknet Diaries
135: The D.R. Incident
It was great to have someone on my team when it comes to privacy. Take control of your data and keep your private life private by signing up for Delete Me. Now at a special discount for my listeners, you can get 20% off your Delete Me plan when you go to joindeleteme.com slash darknetdiaries and use promo code DD20 at checkout.
Darknet Diaries
135: The D.R. Incident
Hold on. How can the president of the Dominican Republic be from Lebanon? Let me look this up. Okay. His grandfather was born in Lebanon and moved to the Dominican Republic in the 1800s. It was not clear to me, at least, if he's still tied to Lebanon in any way, shape, or form. I mean, I couldn't even find out if he can speak Lebanese, you know?
Darknet Diaries
135: The D.R. Incident
But it seems like only weeks after he was elected as president is when this attack happened. So maybe this has something to do with Lebanon sending a message to the president. My mind is spinning here, and I don't want to make any wild assumptions.
Darknet Diaries
135: The D.R. Incident
At the very least, I'm reminded of how Costa Rica's president declared war on Conti, and now I can see that that's not so far-fetched of an idea anymore.
Darknet Diaries
135: The D.R. Incident
At this point, Omar had a very good understanding of this campaign and malware, and he even reverse-engineered some of the malware, inspected it for clues, and looked at their command and control servers, and had a full map of where the infections were and how they were moving around the network.
Darknet Diaries
135: The D.R. Incident
On top of that, vendors started to improve their systems, issuing patches and updates and better ways to detect this. So he got together with all the teams inside the agencies that were infected and explained the remediation process. Step by step, he walked them through how to remove this and stop this from happening again. And he also called the ISP to have them block certain domains.
Darknet Diaries
135: The D.R. Incident
And he was actively cleaning up the mess. Of course, any good threat actor is not going to go down without a fight. So while they'd block a domain or a command and control server, a new one would just spin up, and they had to keep blocking and updating their detection methods.
Darknet Diaries
135: The D.R. Incident
And you know the goal for security isn't always to stop all the threats permanently, but instead just to make it as hard as you can for the bad guys to get in. Because it takes work to spin up new domains. It takes work to pull out a new zero day, to infect more systems. And it takes work to regain access once you get kicked out.
Darknet Diaries
135: The D.R. Incident
So having this coordinated effort to shut them out started to exhaust the attacker's resources. And do they really want to put a lot more work and effort into getting back in? Or just move on to the next target?
Darknet Diaries
135: The D.R. Incident
There's a concept called the pyramid of pain when defending a network, and it's basically the more painful you can make it for the attackers to get in, the less likely they'll actually do it. You never will become fully secure, but at least you can make them work for it.
Darknet Diaries
135: The D.R. Incident
So after a massive coordinated effort to clean up the government agencies and a big bank and critical infrastructure, they were able to successfully clear everything off and keep it off. In fact, they seem to have stopped the Conti ransomware attack before it actually triggered ransomware on any systems. It was only staging the ransom, but never actually executed it.
Darknet Diaries
135: The D.R. Incident
Omar also looked to see if any data got exfiltrated from the network, but it didn't. So it doesn't seem like Russia or Dark Caracal stole any information out of the government. Did they disrupt critical infrastructure?
Darknet Diaries
135: The D.R. Incident
Yeah, to control a dam or a water pump or electrical transformer, it doesn't use like a typical Windows computer or something. It's a different system called OT, which is operational technology, which is opposed to IT, information technology. And OT takes a completely different skill set.
Darknet Diaries
135: The D.R. Incident
The only way to get 20% off is to go to joindeleteme.com slash darknetdiaries and enter code DD20 at checkout. That's joindeleteme.com slash darknetdiaries code DD20. Okay, you all have seen this talk at the STIC conference earlier this year, right?
Darknet Diaries
135: The D.R. Incident
And it sounds like whoever got into these systems didn't quite have the skill set to control OT systems, which was good that they didn't get disrupted. What a whirlwind story this was, huh? To have a government completely cracked open like that, with no way to stop the attackers, in my opinion at least, but then to gain back control of it and lock them out.
Darknet Diaries
135: The D.R. Incident
Omar likes sharing this story with others so that they can be aware that this kind of stuff goes on in the world. And in fact, as I'm looking things up here, it seems like Venezuela also got targeted with the same group or groups.
Darknet Diaries
135: The D.R. Incident
So in 2022, Latin American countries were hit hard with these huge coordinated attack campaigns that may have been unstoppable due to the sophistication and breadth of the attack. And I wonder if Haiti got hit, you know? The president of Haiti has been assassinated and the place has a barely functioning government and it's kind of been taken over by gangs.
Darknet Diaries
135: The D.R. Incident
Would you expect their cybersecurity posture to be strong or lacking? I mean, if Russia infiltrated Haiti's networks, is there anyone there to even notice it and clean it up? And I just wonder about Haiti because they share the same island as the Dominican Republic. I don't know.
Darknet Diaries
135: The D.R. Incident
In some ways, I hate that our world is so vulnerable digitally still, that our most critical systems are still susceptible to attack. My knee-jerk reaction is to say something like, take your systems offline if you can't secure them properly. But that's the opposite of technological progress. So that kind of attitude or strategy just isn't going to fly today.
Darknet Diaries
135: The D.R. Incident
I just feel like when our systems get too complicated, they become insecure. And we certainly live in a very complicated network of computers now, don't we? But the thing is, even in my dreams, I still can't find a safe place to hide. A huge thank you to Omar Avales for coming on the show and sharing this story with us.
Darknet Diaries
135: The D.R. Incident
The easiest way to find Omar to connect with him is by looking him up on LinkedIn. I'll have a link to his LinkedIn in the show notes. In this episode, we talked about the threat actor, Dark Caracal, and I actually did a full episode on them a while back, and that's episode 38. It's a really fascinating group, so go check out that episode.
Darknet Diaries
135: The D.R. Incident
Just as a reminder, this show is now on a monthly release schedule. So look for new episodes on the first Tuesday of every month. I also have a store where you can buy cool shirts to support the show. It's not all branded with Darknet Diaries logos. There are some there, but there are a ton of shirts that I just know you'll absolutely love the design and want to wear these shirts.
Darknet Diaries
135: The D.R. Incident
So please go visit shop.darknetdiaries.com. And thanks for supporting the show. This show is made by me, the bullfighter, Jack Recider. Editing helped this episode by the bipedal Tristan Ledger, mixing done by Proximity Sound, and our theme music was created by the mysterious Breakmaster Cylinder, who just released a new album, and I'll have a link in the show notes if you want to take a listen.
Darknet Diaries
135: The D.R. Incident
Now, even though when I see people rate this show a 10, I always assume it's in binary, and they're really giving it a 2. This is Darknet Diaries.
Darknet Diaries
135: The D.R. Incident
I don't speak Spanish, so I have to use YouTube to auto-translate for me, but hmm.
Darknet Diaries
135: The D.R. Incident
Now that I'm looking at it, there are only 115 views on this video. So, no, you absolutely have not seen this talk. Okay, let me find another. Okay, what about this one? This is a talk from Hack the Box Meetup in Santo Domingo in the Caribbean Sea.
Darknet Diaries
135: The D.R. Incident
Nah, you know what? This video only has 500 views, so no, you did not see this video either. Well, both of these talks are by a guy named Omar Avales, and he's talking about the worst day of his life. It's a chilling story. But since you haven't seen this talk, I really want you to hear it. And since it's in Spanish, I'm going to have to call up Omar to see if he can tell us the story in English.
Darknet Diaries
135: The D.R. Incident
Across the Caribbean Sea, next to Panama, is Costa Rica. And what Omar saw happening in Costa Rica struck his curiosity.
Darknet Diaries
135: The D.R. Incident
Whoa, that's kind of dramatic, isn't it? Declared war? Seriously? Like you go in to deploy troops and send fighter jets because someone put ransomware on your computers? Does Costa Rica even have fighter jets? Anyway, because Omar is in part of Latin America, he was watching this story unfold.
Darknet Diaries
135: The D.R. Incident
Hmm. Sorry, I had a bad connection with Omar when we were talking. So let me repeat that for you. Omar worked in the CCERT for the Dominican Republic. CCERT is an acronym which stands for Cyber Security Incident Response Team. And this CCERT unit falls under the Department of Defense in the Dominican Republic. So when cyber attacks threaten national security, Omar was there to review it.
Darknet Diaries
135: The D.R. Incident
but the bull just runs right up to my house, hits the front door, and just busts through it like it's paper.
Darknet Diaries
135: The D.R. Incident
But what's more is the Dominican Republic CCERT is part of a community of other incident response teams within Latin America.
Darknet Diaries
135: The D.R. Incident
What he saw was that 20 different government organizations in Costa Rica were hit with this Conti ransomware. This was a very widespread problem within their government, so it's no wonder they were reaching out for help anywhere they could. Many parts of the Costa Rican government came to a halt, and they were frantic over there.
Darknet Diaries
135: The D.R. Incident
But this gave Omar the ability to research and understand this Conti ransomware better.
Darknet Diaries
135: The D.R. Incident
It's suddenly in my house, and it's trying hard to turn corners and navigate through my house to get to me, but it's falling down and smashing into walls and furniture, and I'm frantically trying to find a safe place to go, but every room I go into, it just smashes through those doors or windows to get to where I am.
Darknet Diaries
135: The D.R. Incident
Wow, that's really remarkable. See, when I hear that 20 departments were hit, I immediately think that there must be some central connection that allowed the malware to spread internally. You know, like if you can get in through the front door, now you can take a tunnel to all the other buildings or something.
Darknet Diaries
135: The D.R. Incident
But no, what Omar saw was that each of these 20 departments were infected separately, some of which were infected through phishing emails and some from malware put right on systems that were connected to the Internet. But just because the malware got inside each of these places, it didn't actually turn on until the right time.
Darknet Diaries
135: The D.R. Incident
It was coordinated that when enough systems got infected, it would trigger the ransomware to lock all the computers at once and demand payment to unlock them. Now, the motive behind putting ransomware on systems like this is typically just to make money. I believe they were asking for $20 million to unlock Costa Rica's systems. So whoever did this seemed to be there only for financial gain.
Darknet Diaries
135: The D.R. Incident
Costa Rica got their systems fixed up, and I don't think they paid the ransom. They had backups and restored, but Omar saw how this malware operated and worked. And he saw the methods they used to get in, and took this new knowledge to scan the Dominican Republic's national computer infrastructure to see if anything matched what was on Costa Rica's systems.
Darknet Diaries
135: The D.R. Incident
After all, the malware seemed to be present in Costa Rica's network for a while before it actually executed. So he looked through computer after computer and scanned lots of systems looking for things that matched what he saw in Costa Rica. He didn't find anything, actually, which seemed like the Conti ransomware gang wasn't targeting the Dominican Republic, which was good.
Darknet Diaries
135: The D.R. Incident
But then, while looking for malware in the network, he noticed something. Someone had defaced a Dominican Republic government's website. They found a vulnerability on the web server and changed the pictures and text to something else. So he zoomed into this to investigate.
Darknet Diaries
135: The D.R. Incident
Now, typically when someone defaces a website, it's a small-time hacker. Being able to show your friends that you changed the text on a government website makes you look cool in some hacker circles. But it wasn't this person who defaced the website that put the malware on that computer. See, when Omar was investigating the defacement, he checked to see if any malware was left behind.
Darknet Diaries
135: The D.R. Incident
And it was just not by this person. One of the places Omar likes to look for malware is in the temp directory. The temp directory is used by programs to temporarily hold data. And it's kind of a free space for any app to use to dump data in there if it needs it. So this directory often has open permissions. Anyone can read or write to it. Not many directories are like that on a computer.
Darknet Diaries
135: The D.R. Incident
So that's why Omar looked in the temp directory, and that's where he saw that someone had stuck this malware in there.
Darknet Diaries
135: The D.R. Incident
I keep going into room after room, shutting doors, locking it, but it just keeps getting in. I usually wake up around here, heart racing, I'm in a panic. And what I often feel after this dream is helplessness, complete vulnerability. There's no place that feels safe. And it doesn't matter how many locked doors I have or hiding places I know of, that bull always finds me and smashes its way to me.
Darknet Diaries
135: The D.R. Incident
So someone had exploited this system 10 months ago, stuck some malware in there and then left quietly. And when someone else came and defaced the site, that's when he discovered that it was there. And just imagine that sinking feeling for a moment. Malware had been here for 10 months and nobody noticed. Your worst fears start racing through your head at this point. Did they steal anything?
Darknet Diaries
135: The D.R. Incident
Did they access stuff they shouldn't? Did they jump around to other computers?
Darknet Diaries
135: The D.R. Incident
A zero-day means that not even Microsoft knows about this vulnerability. And the reason why it's worse is because whoever left this here must have access to some pretty advanced malware. It's not easy to find a zero-day exploit, because if it was, Microsoft would find it too and put a fix out for it. So it's supposed to be secret.
Darknet Diaries
135: The D.R. Incident
Now, specifically, this malware's purpose was to escalate privileges. So that means if you get on a system as a low-level user, it'll promote you to a user with administrator rights. So now you can do anything you want on that system. Kind of like if you were to just walk into the front door of a prison and convince the guards that you actually own the prison and to give you all the keys.
Darknet Diaries
135: The D.R. Incident
Being able to escalate your privileges is a crucial step at getting full control of a computer. And this could be the beginning of a big deal. And just as Omar was about to tell someone about this, news broke out.
Darknet Diaries
135: The D.R. Incident
Wait, quantum ransomware? Gosh, a totally different group hit them? It makes me want to make a meme out of all this ransomware news. Enough is enough. I've had it with this mother flipping ransomware on these mother flipping computers. Just when you tune your eyes to be able to see and detect a certain kind of malware, you get blindsided by a totally different kind.
Darknet Diaries
135: The D.R. Incident
And whatever that malware was that Omar found on that web server, that had nothing to do with this quantum ransomware.
Darknet Diaries
135: The D.R. Incident
Luckily, they detected this quite quickly and called Omar in very early. He got in his car and drove down to the data center that was infected. And when he got on the systems there, he was able to see the people who were behind the quantum ransomware typing out commands infecting more systems. So because he reacted so quickly, he was able to stop the spread of it from getting on more machines.
Darknet Diaries
135: The D.R. Incident
And this is a stressful situation. I don't know if you've ever gotten your computer or phone infected, but anytime this happens, you have to wonder, did you clean your device good enough? Are they still in there? And you never actually know. You sort of have to cross your fingers and hope the attackers will let you know if they're in there still.
Darknet Diaries
135: The D.R. Incident
Even though he's kicked them out of this one system, it's hard to tell if they just come right back in or what other systems they may have access to. It's like trying to build a dam in the dark with just sticks and rocks.
Darknet Diaries
135: The D.R. Incident
No attribution on the final report for the quantum ransomware infection. Okay. Attribution means figuring out who did this. And they couldn't figure it out. There just simply wasn't enough clues. It seemed to be fairly common malware with no clear path leading to anyone in particular. All it seemed was that it was financially motivated.
Darknet Diaries
135: The D.R. Incident
They wanted money and that's the whole reason why they did this. And I think there's three main categories for different types of attackers. There's the hacktivist type people who are hacking into things just for fun or to make a point, like those defacing websites. And then there are people who are financially motivated. They're only there to make money.
Darknet Diaries
135: The D.R. Incident
I tell you this because after listening to today's story, I get that same feeling of feeling afraid and helpless.
Darknet Diaries
135: The D.R. Incident
And then there are more sophisticated groups there trying to steal state secrets or something. I mean, they might even have spies on the ground of the place they're trying to break into. If you know who your adversary is, you can combat against that particular threat more effectively. You can prepare better and be more alert.
Darknet Diaries
135: The D.R. Incident
So it's important to understand the landscape of who can and who is and who should and who would be attacking you. When you're dealing with ransomware, you're typically up against someone who just wants money. And if you don't pay it or make it really hard for them, they'll probably just move on to an easier target. So after this attack, things settled down. Omar went back to his normal duties.
Darknet Diaries
135: The D.R. Incident
Okay, so they got a new tool to look at the domains that each organization is reaching out to and each domain that's connecting into the government's network. Now, they took this data and cross-referenced it with known malicious domains in the world. And this is called threat intelligence.