Exploitation Techniques and Attacks on Hosting Assets and Access for Resale

Explore exploitation techniques and attacks on hosting assets in this 54-minute conference talk from the Hack In The Box Security Conference. Delve into the lifecycle of compromised network assets, examining real-world examples from honeypots and monitoring systems. Learn about common exploitation techniques used by attackers to gain initial footholds, methods of lateral movement within compromised networks, and the process of selling access to acquired resources. Discover how compromised assets are monetized while awaiting higher bidders, and investigate a case study revealing the consequences when an asset is sold to the highest bidder. Analyze attacker techniques in supply-chain attack scenarios and examine these cases from a defender's perspective. Identify potential red flags for incident response teams, understand attacker actions and intentions, and predict potential next steps. Gain valuable insights for network security analysts based on unique data analysis and views on attacker exploitation techniques. Presented by Vladimir Kropotov, a researcher with Trend Micro FTR team, and Fyodor Yarochkin, a researcher at Trend Micro and incident investigation volunteer at Academia Sinica.

Intro
Players, services, prices and means of delivery
Here is an example of a seller
Telegram channels have bots to buy hosts
Types of "hosting" machines at a glance
Dedicated shops
Proxies on victimized hosts
Clouds
We can come back to the same threat actor we have seen before
Credentials parsing
Credentials validation
Automation of RDP probing
Sources of credentials
Another example: Electronic maker
Level of access
Primary targets in Organizatons
Example: Ryuk - use of old vulns
Access and lateral movements sales
The same seller
How access to acquired resources is sold
Empower of cloud technologies
Dedicated server with PP balance 21k USD
Lifecycle of compromised asset
Two more weeks, $500 000 ransom
1 more week, Not Paid, password published