Omar Avilez
Appearances
Darknet Diaries
135: The D.R. Incident
So we discovered a C2 server that was, you know, utilized by Conti.
Darknet Diaries
135: The D.R. Incident
So that's when everybody started sending us emails and emails and emails. We analyzed hundreds of emails. Literally hundreds of emails. So the weird thing is about these females that they were reading perfect Spanish, like they were not English, but perfect Spanish, like perfect Spanish.
Darknet Diaries
135: The D.R. Incident
At that time, it was June 2022, we had over five to six hundred emails, different emails, and all of them were different. So we didn't have one single email that was the same. But all of them, you know, shared one thing. All of them were about banking transactions or money or payments, something related to money. And also all of them had
Darknet Diaries
135: The D.R. Incident
a backdoor that the attackers were using, which was a backdoor known as Bandook.
Darknet Diaries
135: The D.R. Incident
And they compromised the company. So it was an important target.
Darknet Diaries
135: The D.R. Incident
What they did is that they used a user that was having a conversation with the existing administrator. So the existing administrator was waiting for that user to send him an attachment. So in the step of the legitimate attachment, the existing administrator received the backdoor.
Darknet Diaries
135: The D.R. Incident
And we found out, you know, something that was very terrifying for us. Over 30 government organizations were compromised by that campaign, like really big organizations.
Darknet Diaries
135: The D.R. Incident
Let me tell you, you know, it was not just government organizations, but also critical infrastructure organizations.
Darknet Diaries
135: The D.R. Incident
Yeah, it was a very complicated moment. We didn't know what to do.
Darknet Diaries
135: The D.R. Incident
But after, you know, they did some things on the system, they now... It downloaded or installed a second malware, which was a Coal Strike implant, which was communicating to Conti C2.
Darknet Diaries
135: The D.R. Incident
A big bank overnight stopped working for over a month. So if that bank cannot operate, all the people that have the money on that bank, you know, how they are going to get their money out or how that can affect the government or the economy. So that was something big, and we involved even more people to investigate
Darknet Diaries
135: The D.R. Incident
So one of the first thing that I did or I tried to do was call the people of Costa Rica because that happened to them. I wanted to know, you know, all about the incident.
Darknet Diaries
135: The D.R. Incident
FIRST is a forum for instant response. So like all the instant response teams all over the world just have a conference once or twice a year. So we all go to the conference. They know each other. So if anybody needs help, so we know who we can call.
Darknet Diaries
135: The D.R. Incident
We found out that the red actor was on the system over time. 10 months ago. They were in these agencies for 10 months? Jeez. So when we discovered that, we tried to get to somebody else that may have more information than us. We get to our partners. So when we reach out to them and we show them all the information that we have, they Russia as in the Russian government.
Darknet Diaries
135: The D.R. Incident
It was very strange for me why Russia would compromise the Dominican Republic in that way, what interest they would have here, because in the Dominican Republic we have a lot of Russians, like a lot of Russians living here.
Darknet Diaries
135: The D.R. Incident
uh what would be their intention and what that organization told us is that they were trying to experiment with some countries and something that may do in a bigger scale so they could not target some more mature countries like the united states or united kingdom because they have better defense so they were trying to do it in this part of the world so what happened in costa rica
Darknet Diaries
135: The D.R. Incident
Even though it's not publicly, I'm not saying that on behalf of the government. It's just my opinion. And what I know from what happened and from what I learned on the process, what happened in Costa Rica was part of that. And what was happening in the Dominican Republic was part of that.
Darknet Diaries
135: The D.R. Incident
And it was not just Costa Rica and the Dominican Republic, but also other countries in the Latin American region.
Darknet Diaries
135: The D.R. Incident
were involved on that so we as soon as we knew that we started reaching out to those countries to let them know that this was happening to send the indicators of compromise so that way they find out even earlier than us that something dangerous was happening in their country so they were able to Those things, you know, before something really bad happened.
Darknet Diaries
135: The D.R. Incident
Yes, we did. So we call a national meeting with the big person supporting the government So we inform the president and intelligence agencies about what we discover.
Darknet Diaries
135: The D.R. Incident
Yeah, so they're not supposed to work together, so that thing went over our heads over and over. We overthink it, so why, why, why?
Darknet Diaries
135: The D.R. Incident
We do. So our Current president, his family is from Lebanon. What?
Darknet Diaries
135: The D.R. Incident
They tried to, but they... Could not. The critical infrastructure works in what we call OT, which is operational technology.
Darknet Diaries
135: The D.R. Incident
Basically, I want to see all the computers where Domino's users are local admins.
Darknet Diaries
135: The D.R. Incident
This story starts much earlier, you know. Okay, so this is Omar, and he lives in the Dominican Republic, which is an island in the Caribbean Sea.
Darknet Diaries
135: The D.R. Incident
Let me introduce myself before I start talking about the incidents. So I used to work in the Dominican Republic National Desert, which is the National Cybersecurity Incident Response Team.
Darknet Diaries
135: The D.R. Incident
So when the incident in Costa Rica happens, they contact us. just to ask for help.
Darknet Diaries
135: The D.R. Incident
You know, it was like a massive malware campaign in Costa Rica. They were targeting government organizations through phishing, exploiting vulnerabilities. But they, you know, compromised all the departments separately.
Darknet Diaries
135: The D.R. Incident
But the malware, the implant was on the system from 10 to 11 months ago.
Darknet Diaries
135: The D.R. Incident
It was a malware that did privilege escalation. So it exploded a window of vulnerability that was unknown to the Okay, this just got worse.
Darknet Diaries
135: The D.R. Incident
They exploited a vulnerability, an unfortunate firewall. that allowed them to have VPN access to the infrastructure. So with the VPN access, they managed to compromise the entire organization and then try to ransom the organization.
Darknet Diaries
135: The D.R. Incident
So... That went very public. So on the investigation, we found out the attacker got into the network via a phishing attack, but that didn't tell us much information. So we concluded the investigation or the report without any attribution. So we just know that somebody compromised the system.
Darknet Diaries
135: The D.R. Incident
And one day we got a tool to analyze all the DNS queries that the organization made. So we implemented that technology all around all government organizations so we can have a full visibility of what was happening on the government.