For the win? Offensive research contests on criminal forums

When you’re a safety researcher who desires to share your improvements and insights with the broader group (and acquire some peer recognition into the discount), you’ve bought just a few choices: current at conferences; write papers, blogs, or Twitter threads; submit CVEs; or enter CTFs (capture-the-flag competitions) and vulnerability analysis contests like Pwn2Own. The authentic facet of the home is awash with alternatives.

However what when you’re a menace actor, whose analysis is often extra clandestine? In idea, there’s nothing stopping you from doing any of the above – nevertheless it may (and nearly actually will) draw undesirable consideration and be counter-productive. Higher to share it with different menace actors, maybe – however how, and the place?

If there’s one factor prison marketplaces do effectively, it’s fulfilling the wants and calls for of criminals, and this space isn’t any exception. For a number of years, outstanding Russian-language cybercrime boards like Exploit and XSS have run annual analysis contests for his or her members, with financial prizes put up by sponsors – often outstanding menace actor teams.

As Digital Shadows notes within the article linked above, early contests have been easy, involving trivia quizzes, graphic design competitions, or guessing video games. We’ll dig into precisely how immediately’s contests work shortly, however the important thing level is that they’re very totally different from these first, primary competitions. Current contests are extra akin to typical Name for Papers (CFPs) for authentic safety conferences – with customers invited to submit ‘articles’ on technical subjects, full with supply code, movies, and/or screenshots.

And in contrast to these earlier contests, immediately’s occasions are massive pulls for menace actors. That is partly as a result of a substantial sum of money is up for grabs – not as a lot as Pwn2Own or the Tianfu Cup, however not precisely pocket change, both – and in addition as a result of they’re a possibility for menace actors to realize recognition and plaudits from their friends.

Whereas the truth that these contests exist is attention-grabbing in itself, their entries present us with some perception into menace actor innovation: what they’re engaged on, what obstacles they’re in search of to beat and the way, and what their friends deem essential.

How contests work

Boards often run their contests yearly, though the final one on Exploit closed in Could 2021, and on the time of writing there hasn’t been one other. The method is fairly easy: an admin pronounces the competition, and specifies the time limit, matter space, and guidelines.

Any person of the discussion board can submit an entry, sometimes by posting it in a devoted thread. On the time limit, admins disqualify any entries which don’t meet the principles (e.g., they’re beneath a minimal phrase restrict, or have been plagiarized), and the remainder are put to a public vote on the discussion board .

Exploit’s most up-to-date contest at this writing was launched on April 20, 2021, with a complete prize fund of $80,000 USD. The competition was themed round cryptocurrencies, with articles requested on assaults, thefts, weaknesses, and vulnerabilities. Particularly, the administrator recommended the next subjects:

Determine 1: The announcement of the Exploit contest in April 2021, seen in translation within the bullet checklist above

The competition started on April 21, 2021 and closed to entries a month later, with the winners introduced in September.

XSS’s newest competitors, which ran from March 17 till July 1, 2022 and had a extra modest prize fund of $40,000, though this was a considerably improve on the earlier yr’s pool of $15,000.

That contest was extra normal, with the next listed as acceptable subjects:

Determine 2: XSS launches its newest contest in March 2022, seen in translation within the bullet checklist above

For each contests, any member of the discussion board is allowed to take part, no matter once they registered or what number of posts they’ve made. Entries are both submitted in a particular part of the discussion board, or within the announcement thread with a particular title.

Guidelines

Each Exploit and XSS contests stipulate particular guidelines for entry.

Exploit’s guidelines

XSS’s guidelines

The XSS guidelines additionally embrace some steering on the right article: “idea + follow + reside actual examples + your opinion/expertise + thematic evaluation of the fabric + screenshots + video demonstration.”

Many of those guidelines shall be acquainted to anybody who’s submitted to a convention CFP, an indication that prison boards are in search of to legitimize and professionalize their contests.

Sponsors

For a number of years, outstanding members of the prison group have sponsored contests on Exploit and XSS, with previous sponsors together with All World Playing cards, a well known carding group, and LockBit.

The sponsor of the latest Exploit contest was a person referred to as CryptoManiac, who contributed $15,000, however the discussion board directors themselves stumped up a lot of the money, writing: “The discussion board allocates $100,000, sponsors, if they want, can improve the prize fund, for this they are going to be given particular thanks on this matter.”

The sponsor of XSS’s 2022 contest was a menace actor referred to as Alan Wake (after the online game of the identical title), who has beforehand been accused by LockBit of being the chief of the Conti and Black Basta ransomware teams.

Determine 3: The XSS admin thanks the competition’s sponsor, Alan Wake

As if the prizes weren’t incentive sufficient, the admin advises that: “In case your sponsor likes your article, after the tip of the competitors you may be provided a extremely paid job within the Alan Wake staff.”

Voting

Each Exploit and XSS declare to run a democratic course of for choosing contest winners. Entries which fulfil the necessities (these which don’t are disqualified) are put to a vote, with all discussion board customers invited to participate.

Nonetheless, each processes appear to lack transparency, and it’s unclear how a lot weight particular person votes carry. The Exploit admin writes that “since there are sometimes instances of fraud and vote dishonest…the ultimate choice shall be made by the discussion board staff and me particularly, we will certainly bear in mind the outcomes of the final vote.”

Over on XSS, the admin notes that “suspicious and stuffed votes” shall be eliminated. Furthermore, votes by the admin and the sponsor(s) account for an “elevated proportion.”
Each contests make the ballot outcomes seen to all customers.

Determine 4: The Exploit contest ballot

Entries

Each boards obtained an identical quantity of entries of their most up-to-date contests: 35 on Exploit (with 3 particular person prizes, plus 5 honorable mentions), and 38 – excluding 10 disqualified entries – on XSS (7 particular person prizes).

Whereas the Exploit contest was themed particularly round cryptocurrencies, XSS’s was extra various, and subjects ranged from social engineering and assault vectors to evasion and rip-off proposals. Cobalt Strike was a well-liked matter, with three of the seven prize-winning entries specializing in the authentic pentesting software usually abused by menace actors. Different widespread subjects included tutorials about assault vectors and discovering vulnerabilities (eight entries); crypto-related scams (six entries); and evasion (5 entries).

Let’s study the top-placed entries.

Exploit

First place: Pretend blockchain: From concept to implementation!

The profitable entry in Exploit’s most up-to-date contest was comparatively simplistic – making a cloned model of blockchain.com (utilizing a GitHub repository) to reap credentials. The writer needed to overcome a number of technical difficulties, similar to configuring the cloned web site’s authorization routine, and organising a reverse proxy to bypass the Cross-Origin Useful resource Sharing (CORS) mechanism, however a cloned web site like this could sometimes be used like another phishing or credential-harvesting web site. As a result of the goal is a cryptocurrency alternate/pockets web site, this might doubtlessly be a profitable assault.

Determine 5: A screenshot from the profitable entry within the Exploit contest

Second place: ICO: Wild hunt Value: $0, revenue: $742

In second place, one other comparatively primary assault, this time focusing on preliminary coin choices (ICOs) – a option to increase funds for launching a brand new cryptocurrency. The writer supplies a tutorial on in search of appropriate ICOs to focus on (small, however with about 20,000 views a month), after which offers directions on utilizing well-known instruments like sqlmap to search out and exploit SQL injection vulnerabilities, in an effort to extract person information and tokens from databases.

Third place: Extraction of personal keys and wallets

The third-placed entry within the Exploit contest was a tutorial on making a phishing web site and processing delicate cryptocurrency-related information (secret phrases, wallets, and so on) through Telegram.

Honorable point out: We write blockchain and cryptocurrency from scratch in an hour

A tutorial on making a cryptocurrency from scratch. It’s value noting that there have been free and publicly obtainable tutorials on how to do that for a number of years.

Determine 6: A screenshot from the ‘We write blockchain and cryptocurrency from scratch in an hour’ article

Honorable point out: Pretend blockchain API

A barely extra advanced entry, this text advocates making a malicious library for use by a “lazy developer” when making cryptocurrency functions. The entry contains recommendation on creating the library and tricks to make it enticing to builders (free, easy, nameless, helpful performance, and so forth); tips on how to write and conceal the malicious parts of the library (i.e., tips on how to intercept, encrypt, and covertly course of delicate information similar to non-public keys); and tips on how to course of the ensuing stolen information.

Honorable point out: Bruting crypt for instance Bitcoin

One other easy tutorial, this entry comprised a information on mass-scanning for Bitcoin daemons which settle for incoming connections, after which bruteforcing them to entry delicate information.

Determine 7: An extract from the code provided within the ‘Bruting crypt for instance Bitcoin’ article

Honorable point out: We squeeze the logs to dryness

On this entry, the writer discusses parsing “logs” (presumably logs from infostealers similar to Redline or Raccoon Stealer, that are collections of stolen cookies, looking historical past, and tokens) in an effort to discover cryptocurrency-specific data.

Determine 8: A screenshot from the ‘We squeeze the logs to dryness’ article

Honorable point out: Bitcoin worth peak: When and the place to exit the crypto?

Within the remaining honorable point out, the writer writes a 50-page article (by far the longest entry) on how and when to promote Bitcoin. It dives into the psychology of investing, cryptocurrency economics, and market cycles, and doesn’t embrace any data particular to cybercrime, though the content material is more likely to be of curiosity to menace actors who maintain and/or commerce in Bitcoin as a part of their actions. It additionally contains tips about tips on how to promote Bitcoin – as an example, staggering gross sales, investing in stablecoins or tokenized shares, and so forth.

XSS

First place: 20 years of fee acceptance issues

The profitable entry within the XSS contest offers an outline of vulnerabilities in digital fee methods. It discusses the structure of a few of these methods, and typical vulnerabilities inside them – together with lack of signature verification; size extension assaults; intercepting and altering worth and forex data (a method that has been round for a few years); enterprise logic flaws; rounding, overflow, and adverse quantity errors; and race situations. It additionally supplies some case research of vulnerabilities in digital fee methods which have been exploited prior to now.

Determine 9: A screenshot from the profitable entry within the XSS contest. This explicit screenshot was offered by the writer as proof that they might intercept and alter the fee quantity to a paid Telegram bot

Two notably attention-grabbing issues about this entry: 1) it offers readers ‘homework,’ encouraging them to attempt varied assaults for themselves; and a pair of) it discusses a particular vulnerability within the XSS discussion board itself, whereby a race situation within the Bitcoin switch system allowed customers to successfully generate cryptocurrency out of skinny air.

Second place: Distant Potato Zero and Cobalt Strike

In second place, a way more technical article, purportedly based mostly on the writer’s experiences attacking an Energetic Listing setting the place members of the Area Customers group had the flexibility to remotely hook up with area controllers through RDP. The writer sought to escalate privileges, and of their article they argue that Distant Potato, along with Cobalt Strike, is an efficient means to do that in some environments.

The writer discusses tips on how to disguise Distant Potato from Home windows Defender, tips on how to use it in several eventualities, and the usage of different instruments, together with Ngrok and Socat.

Determine 10: A screenshot from the ‘Distant Potato Zero and Cobalt Strike’ article

Third place: Disable Home windows Defender (plus UAC bypass and elevate to SYSTEM)

The third-placed entry features a tutorial on manipulating privilege tokens in an effort to disable Home windows Defender. Particularly, the writer outlines an assault movement involving acquiring administrative privileges with a UAC bypass, escalating to SYSTEM by stealing a token and beginning a course of, after which disabling Defender.

Fourth place: Conceal your Cobalt Strike like a professional!

In fourth place, this text is a deep technical dive into varied methods to cover Cobalt Strike from detection, and is certainly one of a number of in a sequence. The strategies advocated by the writer embrace utilizing Tor and OpenVPN for Cobalt Strike’s TeamServer , DNSCrypt, area randomizers, and a JARM randomizer. The writer additionally supplies a step-by-step information on modifying Cobalt Strike’s supply code and obfuscating beacons.

Determine 11: A screenshot from the ‘Conceal your Cobalt Strike like a professional!’ article

Fifth place: Cobalt Strike A-Z

In one more Cobalt Strike-related article, however not fairly as wide-ranging because the title would counsel, an entrant discusses utilizing DLL hijacking along with Cobalt Strike.

Sixth place: Rip-off crypto massive

The sixth-placed entry talks about abusing the requirements of sensible contracts, and particularly tips on how to create sensible contracts to secretly withdraw a sufferer’s tokens. It additionally covers varied strategies to distribute malicious contracts, together with AirDrop, Discord, electronic mail, and malvertising.

Determine 12: Code from the ‘Rip-off crypto massive’ article

Seventh place: NoSQL injection

Lastly, within the final positioned entry, the writer supplies a primer on NoSQL injection, the variations between it and SQL injection, and a tutorial on among the causes.

Different noteworthy entries

Exploit

We make a {hardware} cryptocurrency pockets with our personal fingers

This entry was notably noteworthy because it was the one one, on both discussion board, which particularly coated {hardware}. The writer supplies a information on making a {hardware} cryptocurrency pockets, from idea to follow, full with CAD drawings and images. As with the information on exiting Bitcoin, this text doesn’t have a lot relevance to cybercrime, and is extra geared toward serving to customers to guard their funds moderately than having to belief off-the-shelf wallets.

According to this goal, the writer additionally supplies quite a lot of OPSEC recommendation referring to {hardware} wallets, and knowledge relating to numerous recognized assaults in opposition to them, together with malicious firmware updates; brute-forcing PIN codes; fault injection; provide chain assaults; and surveillance.

Determine 13: {A photograph} included within the ‘We make a {hardware} cryptocurrency pockets with our personal fingers’ article

Sensible contract vulnerabilities

A primer on sensible contracts and the Ethereum Digital Machine (EVM), and a information on tips on how to create a primary contract. The writer discusses varied vulnerabilities, together with entry management, front-running, time manipulation, arithmetic points, and re-entrancy, after which strikes on to writing exploits to leverage them.

Determine 14: A screenshot from the ‘Sensible contract vulnerabilities’ article

XSS

Elegantly breed daddies on lavender

On this moderately cryptically titled entry, the writer supplies directions on socially engineering and scamming prospects of webcam fashions, particularly these customers who pay to observe movies of performers. The article covers some particulars on socially engineering victims and tips on how to construct rapport with them, earlier than shifting on to acquiring and illicitly promoting movies.

BitTorrent botnet – from design to implementation

A comparatively progressive entry, this text describes an issue confronted by botnet operators – that management servers are additionally shut down – and proposes an answer: the distributed hash desk (DHT) characteristic in BitTorrent.

Determine 15: A diagram included within the ‘BitTorrent botnet – from design to implementation’ article

Conclusion

The truth that customers of prison boards are designing, working, and collaborating in analysis contests means that they search to foster innovation, particularly on the subject of new strategies of assault and evasion. The sponsorship of those contests by outstanding menace actors is additional proof that it is a objective shared amongst broad sections of the prison group. It’s value noting that, in at the very least one case, previous contests have served as a kind of recruitment software for outstanding menace actor teams.

Within the contests themselves, we famous an elevated curiosity in Web3-related subjects, notably cryptocurrencies, sensible contracts, and NFTs – to the extent that Exploit’s most up-to-date contest was particularly themed round this topic. Nonetheless, even within the newest XSS contest – which gave entrants a a lot wider scope – there have been a nonetheless important variety of associated entries.

Extra typically, there seems to be an inexpensive quantity of innovation relating to subjects like evasion and privilege escalation, particularly within the context of enhancing or augmenting pre-existing instruments like Cobalt Strike.

Nonetheless, on the entire, there was much less innovation than we anticipated. Even extremely positioned articles usually contained little novel materials, and have been typically merely primary tutorials or guides containing data that’s already public . Actually, in our opinion, there was much less unique analysis in comparison with many outstanding safety business contests and conferences.

Successful or extremely positioned entries tended to be both comparatively simplistic, with a broad enchantment, or have been centered on strategies which might be put to sensible use, even when these strategies weren’t new. The truth that these entries have been voted for by the authors’ friends could counsel that that is reflective of the broader group’s preferences and priorities.

In fact, it might be that menace actors are simply not that eager to share cutting-edge instruments and strategies with one another publicly, and as a substitute hold their finest analysis to themselves – maybe reasoning that they might understand extra revenue through the use of them in real-world assaults, moderately than by getting into contests.

Competitions on prison boards are a longstanding, albeit not broadly recognized, characteristic, and are more likely to proceed in a single kind or one other. However, going by the latest entries, they aren’t more likely to change into a hotbed of disruption and innovation within the close to future.

By Matt Wixey