A criminologist and an engineer have captured on video the actions of hackers when they discover servers with little or no protection. This gives us the hundreds of very instructive hours of recordings that Dr. Andréanne Bergeron presented at the Black Hat USA conference.
The conference allowed Ms. Bergeron to explain how she managed to lure, spy, understand and categorize hackers in various classes inspired by the universe of Dungeons and Dragons. To lure hackers, the researcher exposed a network of Windows PCs that were easy to exploit and control remotely through the RDP protocol.
After three years of operation of this “honey net”the investigator managed to accumulate no less than “190 million events, including 100 hours of video footage470 files collected from threat actors and over 20,000 RDP captures”.
The researcher classifies hackers in 5 categories taken from Dungeons and Dragons
Rangers explore the system of their victims from all angles, “they check the characteristics of the network and the host, and just perform reconnaissance by clicking anywhere or launching programs”. They are scouts, but their task ends there.
Thieves want to make RDP access profitableand transform the compromised system into a cryptocurrency mining tool, a practice now prohibited on Microsoft servers, or proxyware, to sell victims’ bandwidth without their knowledge. Barbarians attempt to break into other systems from the already compromised server using brute force techniques, as demonstrated in this video.
The Magicians use RDP access as a portal to connect to another computer that has been similarly compromised. They hide their identity jumping from one compromised host to another. Extremely competent and discreet, they only use the tools available to them on the compromised system.
Bards are individuals with no apparent skill who sometimes buy RDP access from other hackers. Beyond the playful aspect of her presentation, which will no doubt appeal to role-playing enthusiasts, Ms. Bergeron hopes to have convinced the police and the blue teams of the interest ofuse this technique to collect ever more data on hackers and to better thwart them.
Source: GoSecure