The QuantumFilament hackers, or one of their customers, post fake job, real estate and car ads to Craigslist. These advertisements have the following common characteristics:
- Target audience is in Virginia, Maryland, Pennsylvania or Washington, DC
- Contains no hyperlink and no specific reply instructions
- Registers with Hotmail or Yahoo e-mail addresses
- 16 of the 20 unique Hotmail addresses ended in four digits
- All Craigslist passwords were 10 characters in length, all lowercase, seemingly random letters
Many ads appear to be copies of ads from legitimate companies. The fake ad poster periodically logged into the associated webmail accounts to check for replies to his fake Craigslist ads. In the instances in which this could be verified, no replies were ever sent by the fake ad poster. The poster simply received whatever replies he could get, the replies often including personal information and resumes. I hypothesize whatever personal information is volunteered by responders is reviewed for information that could be sold or exploited in the dark web, such as phone numbers, e-mail addresses, postal addresses, and identity information.
|Date||Title||Notes||Craigslist registration||Craigslist password|
|2015-08-19||.NET custom Developer,SSRS Report Developeremail@example.com||huwreslouc|
|2015-08-20||Full-Time Product Specialist – Worcester, PA||A position at Grainger Industrial Supply, a real Fortune 500 firstname.lastname@example.org||wriwriamou|
|2015-08-21||Accountant / Office Adminemail@example.com||ueagaijeac|
|2015-08-22||Microsoft Office Specialist/Quickbooks Instructor – PT||A position at ASI Career Institute, a real firstname.lastname@example.org||wraiheathu|
|2015-08-24||Automotive Dealership Cashieremail@example.com||wriwriamou|
|2015-08-25||Dining Services Captainfirstname.lastname@example.org||wraiheathu|
|2015-08-25||Financial Crimes Lead||A position at Barclaycard US, a large financial email@example.com||sofraicrio|
|2015-08-27||Kitchen Manager||A position at Del Frisco’s Grille, a restaurant chain with 22 locations firstname.lastname@example.org||wriwriamou|
|2015-08-28||Client Services Specialist||A position at Survivors, Inc., in Gettysburg, PAemail@example.com||kianicifri|
|2015-08-28||Administrative Assistant I – Immediatefirstname.lastname@example.org||ueagaijeac|
|2015-08-28||Spacious 1br Apartment, New Floor, Fresh Paintemail@example.com||uaegurioth|
|2015-08-31||Legal Secretary-Northern Virginiafirstname.lastname@example.org||ueagaijeac|
|2015-09-01||Front Desk Coordinatoremail@example.com||roclaithou|
|2015-09-02||CamRY SHiFtKSh 2000 toYotAfirstname.lastname@example.org|
|2015-09-04||Renovated Home For Rent/lease, A Quiet Communityemail@example.com||frephaecri|
|2015-09-04||Interior Specialist Sales Associate’s – Part Time||A position at Arhaus Furniture, a real furniture store firstname.lastname@example.org||lotastiowr|
|2015-09-04||NICEgPrp HoNDa ciVIC LX email@example.com|
|2015-09-04||woRkSzCqAc CamrY 2000 sILVEr TOYotAfirstname.lastname@example.org|
|2015-09-06||Automotive Sales Consultant – Auto Sales Representative||A position at Frankel, a chain of car dealerships in Marylandemail@example.com||slacihaica|
|2015-09-06||20oo ford ranger lOwEUaXofirstname.lastname@example.org|
|2015-09-06||98 jeep grand cherokee ownErzSoITemail@example.com|
|2015-09-06||Administrative Support Specialist Neededfirstname.lastname@example.org|
|2015-09-06||Senior Meeting Planneremail@example.com||roclaithou|
|2015-09-07||Safe and quiet neighborhood, comprehensive list or firstname.lastname@example.org||jadaprouha|
|2015-09-08||Assisted Living Administrator||A position at Asbury Methodist Community, a retirement community in Marylandemail@example.com||pheacaeuou|
|2015-09-11||Payroll Specialist||A position at paychex, Inc., a real firstname.lastname@example.org||hiolabuvod|
|2015-09-12||Dining Server||A position at Brightview Senior Living, a retirement email@example.com||lotastiowr|
|2015-09-12||Technician / Automotive Mechanic||A position at Mercedes Benz of Owings Mills, Marylandfirstname.lastname@example.org||gelouuouci|
|2015-09-13||Finance & Insurance Manager / Automotive Finance Manager||A position at MileOne, Herb Gordon Volvo Subaru, a car dealership in Marylandemail@example.com||pheacaeuou|
|Password||Ashley Madison rank||Paypal attempts rank|
Now let’s examine the rest of the top 20 passwords tried against Paypal accounts by the QuantumFilament hackers (or someone using their network of hacked routers).
|Password||Paypal attempts rank||Ashley Madison rank|
The results don’t correlate perfectly, but it does suggest one source for the attempted Paypal logins might be the e-mail addresses and passwords of Ashley Madison users.
The QuantumFilament network logged into Skype using stolen credentials to send instant messaging spam. The spam was written in the Cyrillic alphabet, and was most likely written in the Russian language.
|Compromised usernames with passwords||623|
|Spam messages attempted||6,340|
|Spam messages rejected due to rate limiting||240|
From the perspective of the Skype administrators, the login attempts and instant messages would appear to originate from the IP addresses of QF’s hacked routers.
Here are the text of the Cyrillic alphabet instant messages:
So far, this blog has established that a group of cyber operators breaks into home and office routers, and installs software on the routers. I will provide one example of what comes next.
One of the programs installed on the routers turns the routers into a proxy. A proxy is a service that can be used to disguise the original source of network traffic.
The QuantumFilament operators, or one of their customers using QuantumFilament’s network of hacked routers, tried to log into a financial service 16,991 times. The 16,991 attempted logins used 16,971 unique user IDs. The success rate was about 1.33%.
I have contacted the financial service offering to share my information about the hacked accounts.
The financial service has an Apple iOS mobile app, and the evidence indicates the QuantumFilament hackers or customers are using the same internal API calls as the iOS mobile app to try to log into the financial service accounts. When the hacker’s program tries to log into the financial service, it sends along information about an Apple iOS device. Most likely, the programmer who built the alternative login app copied the template of the real financial service app running on a real Apple iOS device. Here is some of the information sent by the hacker’s login app, common to all 16,991 login requests.
|Operating system||Jailbreak iOS 9.1|
|Language setting||ru (Russian)|
|LAN IP address||192.168.0.102|
The original programmer who reverse engineered the internal API of the financial service likely copied the submission values from the legitimate Apple iOS app, and this iOS app was probably running on a jailbroken iPhone, located in Russia, in the Moscow time zone.
Its true. IP 220.127.116.11, registered to Serverel, made a couple thousand connections to login.live.com and http://www.outlook.com from 16:13 UTC to 21:41 UTC 25 August. Time to tell the Serverel NOC.
Update: Serverel responds:
based on information from this customer, this server is not in use and he really forgot about him. i.e. server is 100% hacked, our customer will cancel this server in few hours and we will power it off next.
Hackers thrive on accessing neglected, abandoned or forgotten computers. With the space, CPU power and bandwidth of a server, without any accountability or expense, hackers can turn forgotten servers into anything–a launching pad for more hacks, storage space for data–anything.
Today, August 25, from 1410 to 1446 UTC, an IP address registered to SERVEREL, a data center or hosting provider based in California, used the QuantumFilament proxy network to access the Tumblr blogging site. Most likely that IP address at SERVEREL, 18.104.22.168, is a third IP address at SERVEREL that has been compromised and used by the QF group. How many more IP addresses at SERVEREL have been hacked and are being abused? I could tell SERVEREL about this, but that doesn’t really solve their issue.
Update 1: Serverel has now been informed. I see activity from this Serverel IP going back to August 3. Even if QuantumFilament is kicked out of Serverel, they hhav hacked into additional data centers/hosting providers worldwide.
Update 2: Serverel writes back:
many thanks for your report. 22.214.171.124 is used by our customer since June 2012 and i think this server could be compromised. This is 100% legitimate customer.
Serverel’s emphasis is that there is a live, legitimate customer using this IP, and they don’t want administrators around the Internet to block this IP, thereby blocking the real customer’s connectivity.
Update 3: More from Serverel:
looks like this server is really in use, we ask end user to escalate this issue and find what is a reason for this report.
There are many different areas of expertise in cyber security, each area is quite important and distinct. Some people write security policies or handle communications during an incident. Others examine a hard drive and recover lost, hidden or deleted files. Others examine a suspicious binary program and can reverse engineer that program, revealing its function, algorithms and communication protocols.
My particular expertise is the examination of the recordings of traffic traveling on or through a network. Practically all activities online (e-mail, web browsing, social media and voice-over-IP, to name just a few) involve one device communicating with another device, and this traffic can be recorded and analyzed. One of the most common open source software tools to analyze recorded network traffic is Wireshark, and its command line counterpart, TShark.
TShark is very powerful because, like Wireshark, it can parse protocols such as web and e-mail and display this information. In addition, TShark’s output can be easily saved to a file. This output can then be read and processed by additional programs or scripts.
This simplified example uses TShark to read a file called “traffic”, and instructs TShark to output information about any web, e-mail or proxy activity captured.
tshark -r traffic -T fields -e frame.number -e frame.time -e ip.src -e tcp.srcport -e ip.dst -e tcp.dstport -e socks.dst -e socks.remote_name -e socks.port -e http.request.full_uri -e ssl.handshake.extensions_server_name -e imf.from -e imf.to -e imf.subject
Wireshark and TShark are critical tools for this research, so it was frustrating when TShark routinely crashed. Wireshark understands hundreds of protocols and formats used on the Internet, but doing this is not simple, and software bugs are inevitable. Still, I was very frustrated. I could try to work around the crashes, but the situation was definitely not ideal.
Wireshark is open source software, which means any volunteer can modify and fix sourcecode. But first I had to report the bug. I examined the network traffic files that crashed Wireshark, and tried to look for commonalities. I wanted to tell the Wireshark team why I thought the program crashed. Being unsuccessful, I then constructed the smallest file I could that still crashed the program, and reported the bug to the Wireshark developers.
I was convinced the crashes were due to a bug in the interpretation of the network traffic. But instead, the bug was in something more fundamental. I had discovered a bug in the part of Wireshark that managed system memory. The bug was diagnosed and fixed on the same day, and the Wireshark team issued a security advisory for this memory management bug.
I later reported a more mundane bug that was caused by misinterpretation of Internet traffic. As a result of these fixes, I have to ensure all of my computers run Wireshark 1.12.7 or later.
Initially, all I could observe of the QuantumFilament group’s activities was the scanning for and hacking of Linksys and Asus routers. I wondered if the scanning was due to a worm, a program that spreads automatically without human intervention. The scanning and method of infection reminded me of the SQL Slammer worm of 2003.
But careful observation proves that QuantumFilament cyber operations are not just about scanning and infecting routers, and it is not accidental. There are human hands and human minds behind the activity.
- Purpose. The group of hacked routers are used to do other things. A discussion on these “other things” is saved for a later chapter.
- Long-term operation. The software programs run on the routers have internal version numbers and update mechanisms. The QF cyber operators built technical mechanisms in the code to check for and track different versions of the same program, and to report these version numbers to the command-and-control servers.
- Adapts to setbacks. The QF cyber operators reacted to the takedown of their server by switching to different servers, more than once.
- Redundant communication. The .nttpd loader binary version 14 was programmed to communicate to five different command-and-control servers. The QF group only needed one of the five servers to be accessible in order to fully control their hacked routers.
At minimum, the QF operation has “users” that make use of the anonymity and resources provided by the hacked routers; software developers that write and modify the binary programs run on the routers; and operators to maintain the servers and other hacking infrastructure.
When I first read the Internet Storm Center post revealing the malware program and IP addresses of the QuantumFilament group, I was concerned. This research depends on the QF group’s continued activities, and I was concerned that such a public disclosure would cause the cyber operators to modify or suspend their activities. As it happened, two times over the next week the servers used by QF were shut down, and both times QF migrated to use different IP addresses.
There are pros and cons to disclosing information about an ongoing cyber operation.
Pros to disclosure
- Provides technical information to system administrators, who can use the information to prevent or detect attacks against their systems.
- Educates the professional cyber community on offensive tactics and techniques.
- Creates the possibility for disperate investigators tracking the same threat group to communicate and collaborate.
- Makes the cyber threat group work harder, as they have to spend time changing their programs, behavior or network addresses.
Cons to disclosure
- Puts future investigation at risk, because disclosure puts the threat group on notice they are being monitored. The cyber threat group could modify their methods and operations to make future investigation more difficult and costly. Generally any setbacks–and disclosure is a setback–makes the cyber threat group smarter. Smarter bad guys are harder to investigate and catch.
- Disclosure often does not protect average Internet users. Shutting down compromised servers is usually just a brief inconvenience, because most professional cyber groups have a practically unlimited supply of systems and IP addresses they can break into, and use to initiate their operations.
Most professional cyber operations have one of two goals: to steal money or to steal information. Relative to the physical world,, stealing money or information in cyberspace has a few distinct advantages:
- First, the landscape of cyberspace is truly flat. I can just as easily cause trouble around the block as I can cause trouble halfway around the world.
- Second, the cyber universe is not just flat, but fast too. All computers and devices on the planet that are connected to the Internet can be reached within seconds.
- Third, its far easier to be anonymous in cyberspace. At minimum it requires some paperwork (through a subpoena) to link a cyber identity to a real world identity. If a person takes steps to mask his cyber identity, it can take a lot more work than that to find his physical identity.
- And fourth, there is no one unified set of laws, let alone people to enforce these laws, in cyberspace. If I find that computers in China and Bangladesh are stealing my company’s information, I may have a hard time finding the authority and expertise, along with the language expertise and political will, to investigate the case.
Basically if someone is bent on doing bad in cyberspace, he or she can do it quickly, do it to a lot more people at once, and do it anonymously. Stealing money and stealing information over the Internet is actually easy, especially if one doesn’t have a specific target in mind. Given this, there are a lot more criminals and professionals doing bad, than there are professionals and investigators investigating. For most researchers, who have no legal authorities, public disclosure of what they observe is often the only action they can take.
The Internet Storm Center disclosure ended up giving me, the investigator, a unique look at QF’s reaction to a setback, namely the disclosure and elimination of two of the five IP addresses programmed into the loader binary version 14. In the next chapter, I will use this and other behavior to sketch a profile of this group.
The SANS Internet Storm Center is a group of cyber security professionals who volunteer their time, monitors security logs, and publishes information to the Internet community. On August 4, Johannes Ullrich published this post discussing the noisy Linksys router scanning of the QuantumFilament (QF) group. It is important to note that the security bug used by QF to break in was disclosed in February 2014, and that anyone can download a copy of some sourcecode over the Internet and try to break in using the same security vulnerability. The QF operations of 2015 may, or may not, be conducted by the same people distributing the Moon worm in 2014.
But software is more unique. I knew Johannes was talking about the group I was tracking because his post mentioned the same iptables firewall rules I found in the .nttpd loader binary. Johannes also identified one of the IP addresses, 126.96.36.199, as being an active facilitator in the activity. Further, Johannes reported this address to the responsible administrators, who “shut down the affected server shortly after being notified”.
My logs indicate the IP address 188.8.131.52 was online and facilitating QF operations until August 4 at 12:17 UTC. Interestingly, this IP briefly made a zombie appearance and was active for 19 minutes the next day, from 11:02 to 11:21 UTC on August 5.
QuantumFilament was not done with this hosting company, Serverel, quite yet. A second IP address, 184.108.40.206, was in the group of five IP addresses programmed into the .nttpd version 14 binary, which was first submitted to VirusTotal in April. This strongly suggests the QF cyber operators have had access to servers at Serverel since April. Beginning at 09:15 UTC August 6, this second IP 220.127.116.11 began to facilitate QF cyber operations, both sending out command and control packets via UDP, and fulfilling download request of additional QF tools over TCP. I made the Internet Storm Center aware of this, and QF cyber operations from 18.104.22.168 ceased at 10:27 UTC on August 10.
In the next post, I will explore the pros and cons of publishing information about ongoing hacking and cyber operations.