{"id":22794,"date":"2023-08-29T05:21:09","date_gmt":"2023-08-29T13:21:09","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2023\/08\/29\/news-16524\/"},"modified":"2023-08-29T05:21:09","modified_gmt":"2023-08-29T13:21:09","slug":"news-16524","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2023\/08\/29\/news-16524\/","title":{"rendered":"For the win? Offensive research contests on criminal forums"},"content":{"rendered":"<p><strong>Credit to Author: Matt Wixey| Date: Tue, 29 Aug 2023 10:00:17 +0000<\/strong><\/p>\n<div class=\"entry-content lg:prose-lg mx-auto prose max-w-4xl\">\n<p>If you\u2019re a security researcher who wants to share your innovations and insights with the wider community (and gain some peer recognition into the bargain), you\u2019ve got a few options: present at conferences; write papers, blogs, or Twitter threads; submit CVEs; or enter CTFs (capture-the-flag competitions) and vulnerability research contests like Pwn2Own. The legitimate side of the house is awash with opportunities.<\/p>\n<p>But what if you\u2019re a threat actor, whose research is usually more clandestine? In theory, there\u2019s nothing stopping you from doing any of the above \u2013 but it could (and almost certainly will) draw unwanted attention and be counter-productive. Better to share it with other threat actors, perhaps \u2013 but how, and where?<\/p>\n<p>If there\u2019s one thing criminal marketplaces do well, it\u2019s fulfilling the needs and demands of criminals, and this area is no exception. For several years, prominent Russian-language cybercrime forums like Exploit and XSS <a href=\"https:\/\/www.digitalshadows.com\/blog-and-research\/competitions-on-russian-language-cybercriminal-forums-sharing-expertise-or-threat-actor-showboating\/\">have run annual research contests for their members<\/a>, with monetary prizes put up by sponsors \u2013 usually prominent threat actor groups.<\/p>\n<p>As Digital Shadows notes in the article linked above, early contests were simple, involving trivia quizzes, graphic design competitions, or guessing games. We\u2019ll dig into exactly how today\u2019s contests work shortly, but the key point is that they\u2019re very different from those first, basic competitions. Recent contests are more akin to typical Call for Papers (CFPs) for legitimate security conferences \u2013 with users invited to submit \u2018articles\u2019 on technical topics, complete with source code, videos, and\/or screenshots.<\/p>\n<p>And unlike those earlier contests, today\u2019s events are big pulls for threat actors. This is partly because a considerable amount of money is up for grabs \u2013 <a href=\"https:\/\/www.securityweek.com\/zdi-announces-rules-and-prizes-pwn2own-2022\">not as much as Pwn2Own<\/a> or <a href=\"https:\/\/www.securityweek.com\/19-million-paid-out-exploits-chinas-tianfu-cup-hacking-contest\">the Tianfu Cup<\/a>, but not exactly pocket change, either \u2013 and also because they\u2019re an opportunity for threat actors to attain recognition and plaudits from their peers.<\/p>\n<p>While the fact that these contests exist is interesting in itself, their entries provide us with some insight into threat actor innovation: what they\u2019re working on, what obstacles they\u2019re seeking to overcome and how, and what their peers deem important.<\/p>\n<h2>How contests work<\/h2>\n<p>Forums usually run their contests annually, although the last one on Exploit closed in May 2021, and at the time of writing there hasn\u2019t been another. The process is pretty simple: an admin announces the contest, and specifies the closing date, topic area, and rules.<\/p>\n<p>Any user of the forum can submit an entry, typically by posting it in a dedicated thread. At the closing date, admins disqualify any entries which don\u2019t meet the rules (e.g., they\u2019re below a minimum word limit, or have been plagiarized), and the rest are put to a public vote on the forum .<\/p>\n<p>Exploit\u2019s most recent contest at this writing was launched on April 20, 2021, with a total prize fund of $80,000 USD. The contest was themed around cryptocurrencies, with articles requested on attacks, thefts, weaknesses, and vulnerabilities. Specifically, the administrator suggested the following topics:<\/p>\n<ul>\n<li>Non-standard ways of extracting private keys and wallets<\/li>\n<li>Staking, farming and landing, unusual author&#8217;s methods of passive income<\/li>\n<li>Mining in 2021, types of mining, equipment (except for the banal BitMain), non-standard mining software<\/li>\n<li>A large encyclopedia, describe in an accessible language the most unusual and atypical nuances of cryptocurrency protocols<\/li>\n<li>Smart contracts and everything connected with them, features of work<\/li>\n<li>NFT &#8211; where to start? the path from understanding the essence to the first earnings<\/li>\n<li>Author&#8217;s software for working with cryptocurrencies (private keys, parsers, brute, and so on)<\/li>\n<li>Overview of hardware wallets and features of working with them<\/li>\n<li>Tokens, creation, promotion (all possible networks)<\/li>\n<li>Analysis (technical and financial) of cryptocurrencies<\/li>\n<li>Security of working with cryptocurrencies, except for banal things<\/li>\n<li>DeFi-segment, author&#8217;s articles in general on the topic<\/li>\n<li>We raise our blockchain server of the main cryptocurrencies<\/li>\n<li>Automation of payments when working with cryptocurrency, payment management, data processing<\/li>\n<\/ul>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/image1a.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-92662\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/image1a.png\" alt=\"A screenshot of an announcement on the Exploit criminal forum, with Russian text\" width=\"640\" height=\"311\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/image1a.png 1376w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/image1a.png?resize=300,146 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/image1a.png?resize=768,373 768w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/image1a.png?resize=1024,498 1024w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p><em>Figure 1: The announcement of the Exploit contest in April 2021, seen in translation in the bullet list above<\/em><\/p>\n<p>The contest began on April 21, 2021 and closed to entries a month later, with the winners announced in September.<\/p>\n<p>XSS\u2019s latest competition, which ran from March 17 until July 1, 2022 and had a more modest prize fund of $40,000, although this was a significantly increase on the previous year\u2019s pool of $15,000.<\/p>\n<p>That contest was more general, with the following listed as acceptable topics:<\/p>\n<ul>\n<li>Methods for pinning in user or kernel mode on Windows and Linux<\/li>\n<li>Creation and modification of 0\/1day exploits for Windows or Linux<\/li>\n<li>Reversing: analysis and modification of malicious code<\/li>\n<li>Techniques for countering security software, hiding malicious code<\/li>\n<li>Pentesting Active Directory: privilege escalation, data collection, working with frameworks for post-exploitation<\/li>\n<li>Social engineering, fraud: analysis of real cases, my own experience<\/li>\n<li>Radio-electronic weapons: operation, assembly and modification of equipment<\/li>\n<li>Malware development<\/li>\n<li>Low level programming<\/li>\n<li>Web vulnerabilities and their exploitation<\/li>\n<\/ul>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/image2a.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-92665\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/image2a.png\" alt=\"A screenshot of an announcement on a criminal forum, with text in Russian\" width=\"640\" height=\"424\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/image2a.png 1205w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/image2a.png?resize=300,199 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/image2a.png?resize=768,509 768w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/image2a.png?resize=1024,678 1024w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p><em>Figure 2: XSS launches its latest contest in March 2022, seen in translation in the bullet list above<\/em><\/p>\n<p>For both contests, any member of the forum is allowed to participate, regardless of when they registered or how many posts they have made. Entries are either submitted in a specific section of the forum, or in the announcement thread with a specific title.<\/p>\n<h2>Rules<\/h2>\n<p>Both Exploit and XSS contests stipulate specific rules for entry.<\/p>\n<h3>Exploit&#8217;s rules<\/h3>\n<ul>\n<li>Entries must not have been published elsewhere, and must belong to the author<\/li>\n<li>Entries must be \u201cmeaningful and voluminous, touch on all aspects of the proposed topic, [and] describe the mechanisms, practices and tool used\u201d<\/li>\n<li>Entries should contain technical details, in the form of algorithms, code, and\/or diagrams<\/li>\n<li>Articles should be at least 5000 characters (excluding spaces)<\/li>\n<\/ul>\n<h3>XSS&#8217;s rules<\/h3>\n<ul>\n<li>Maximum of three entries per participant<\/li>\n<li>Entries should be the author\u2019s work (\u201ccopy-paste = expulsion from the contest, in disgrace\u201d)<\/li>\n<li>Entries should be exclusively published on the forum<\/li>\n<li>Articles should be at least 7000 characters<\/li>\n<li>Entries should have a practical application, and should not be \u201cboring theory, in its pure form, no one is interested in theory\u201d<\/li>\n<li>Entries should use proper formatting, spelling, and punctuation<\/li>\n<\/ul>\n<p>The XSS rules also include some guidance on the perfect article: \u201ctheory + practice + live real examples + your opinion\/experience + thematic analysis of the material + screenshots + video demonstration.\u201d<\/p>\n<p>Many of these rules will be familiar to anyone who\u2019s submitted to a conference CFP, a sign that criminal forums are seeking to legitimize and professionalize their contests.<\/p>\n<h2>Sponsors<\/h2>\n<p>For several years, prominent members of the criminal community have sponsored contests on Exploit and XSS, with past sponsors including All World Cards, a well-known carding group, and LockBit.<\/p>\n<p>The sponsor of the most recent Exploit contest was a user called CryptoManiac, who contributed $15,000, but the forum administrators themselves stumped up most of the cash, writing: \u201cThe forum allocates $100,000, sponsors, if they wish, can increase the prize fund, for this they will be given special thanks in this topic.\u201d<\/p>\n<p>The sponsor of XSS\u2019s 2022 contest was a threat actor called Alan Wake (after the video game of the same name), who has<a href=\"https:\/\/twitter.com\/S0ufi4n3\/status\/1552584941040504833\"> previously been accused by LockBit of being the leader of the Conti and Black Basta ransomware groups<\/a>.<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/image3-2.png\"><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-92648\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/image3-2.png\" alt=\"A screenshot from a post on a criminal forum, with text in Russian\" width=\"640\" height=\"95\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/image3-2.png 1572w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/image3-2.png?resize=300,44 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/image3-2.png?resize=768,114 768w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/image3-2.png?resize=1024,152 1024w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/image3-2.png?resize=1536,228 1536w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p><em>Figure 3: The XSS admin thanks the contest\u2019s sponsor, Alan Wake<\/em><\/p>\n<p>As if the prizes weren\u2019t incentive enough, the admin advises that: \u201cIf your sponsor likes your article, after the end of the competition you will be offered a highly paid job in the Alan Wake team.\u201d<\/p>\n<h2>Voting<\/h2>\n<p>Both Exploit and XSS claim to run a democratic process for selecting contest winners. Entries which fulfil the requirements (those which don\u2019t are disqualified) are put to a vote, with all forum users invited to take part.<\/p>\n<p>However, both processes seem to lack transparency, and it\u2019s unclear how much weight individual votes carry. The Exploit admin writes that \u201csince there are often cases of fraud and vote cheating\u2026the final decision will be made by the forum team and me in particular, we will definitely take into account the results of the general vote.\u201d<\/p>\n<p>Over on XSS, the admin notes that \u201csuspicious and stuffed votes\u201d will be removed. Moreover, votes by the admin and the sponsor(s) account for an \u201cincreased percentage.\u201d<br \/> Both contests make the poll results visible to all users.<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/image4-2.png\"><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-92649\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/image4-2.png\" alt=\"A screenshot from a poll on a criminal forum, with text in Russian\" width=\"640\" height=\"322\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/image4-2.png 1772w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/image4-2.png?resize=300,151 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/image4-2.png?resize=768,386 768w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/image4-2.png?resize=1024,515 1024w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/image4-2.png?resize=1536,772 1536w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p><em>Figure 4: The Exploit contest poll<\/em><\/p>\n<h2>Entries<\/h2>\n<p>Both forums received a similar amount of entries in their most recent contests: 35 on Exploit (with 3 individual prizes, plus 5 honorable mentions), and 38 &#8211; excluding 10 disqualified entries &#8211; on XSS (7 individual prizes).<\/p>\n<p>While the Exploit contest was themed specifically around cryptocurrencies, XSS\u2019s was more diverse, and topics ranged from social engineering and attack vectors to evasion and scam proposals. Cobalt Strike was a popular topic, with three of the seven prize-winning entries focusing on the legitimate pentesting tool often abused by threat actors. Other popular topics included tutorials about attack vectors and finding vulnerabilities (eight entries); crypto-related scams (six entries); and evasion (five entries).<\/p>\n<p>Let\u2019s examine the top-placed entries.<\/p>\n<h3>Exploit<\/h3>\n<h4>First place: Fake blockchain: From idea to implementation!<\/h4>\n<p>The winning entry in Exploit\u2019s most recent contest was relatively simplistic \u2013 creating a cloned version of blockchain.com (using a GitHub repository) to harvest credentials. The author had to overcome several technical difficulties, such as configuring the cloned site\u2019s authorization routine, and setting up a reverse proxy to bypass the Cross-Origin Resource Sharing (CORS) mechanism, but a cloned site like this would typically be used like any other phishing or credential-harvesting site. Because the target is a cryptocurrency exchange\/wallet site, this could potentially be a lucrative attack.<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/image5-2.png\"><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-92650\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/image5-2.png\" alt=\"A screenshot showing code from a GitHub repository, with a red arrow pointing to the word 'password'\" width=\"640\" height=\"657\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/image5-2.png 773w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/image5-2.png?resize=292,300 292w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/image5-2.png?resize=768,789 768w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/image5-2.png?resize=32,32 32w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/image5-2.png?resize=50,50 50w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p><em>Figure 5: A screenshot from the winning entry in the Exploit contest<\/em><\/p>\n<h4>Second place: ICO: Wild hunt Cost: $0, profit: $742<\/h4>\n<p>In second place, another relatively basic attack, this time targeting initial coin offerings (ICOs) \u2013 a way to raise funds for launching a new cryptocurrency. The author provides a tutorial on looking for suitable ICOs to target (small, but with about 20,000 views a month), and then gives instructions on using well-known tools like sqlmap to find and exploit SQL injection vulnerabilities, in order to extract user data and tokens from databases.<\/p>\n<h4>Third place: Extraction of private keys and wallets<\/h4>\n<p>The third-placed entry in the Exploit contest was a tutorial on creating a phishing site and processing sensitive cryptocurrency-related data (secret words, wallets, etc) via Telegram.<\/p>\n<h4>Honorable mention: We write blockchain and cryptocurrency from scratch in an hour<\/h4>\n<p>A tutorial on creating a cryptocurrency from scratch. It is worth noting that there have been free and publicly available tutorials on how to do this for several years.<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/image6-2.png\"><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-92651\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/image6-2.png\" alt=\"A screenshot of JSON code, with red arrows pointing to various lines\" width=\"640\" height=\"627\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/image6-2.png 678w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/image6-2.png?resize=300,294 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/image6-2.png?resize=32,32 32w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/image6-2.png?resize=50,50 50w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/image6-2.png?resize=64,64 64w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p><em>Figure 6: A screenshot from the \u2018We write blockchain and cryptocurrency from scratch in an hour\u2019 article<\/em><\/p>\n<h4>Honorable mention: Fake blockchain API<\/h4>\n<p>A slightly more complex entry, this article advocates creating a malicious library to be used by a \u201clazy developer\u201d when making cryptocurrency applications. The entry includes advice on creating the library and tips to make it attractive to developers (free, simple, anonymous, useful functionality, and so on); how to write and hide the malicious components of the library (i.e., how to intercept, encrypt, and covertly process sensitive data such as private keys); and how to process the resulting stolen data.<\/p>\n<h4>Honorable mention: Bruting crypt for example Bitcoin<\/h4>\n<p>Another simple tutorial, this entry comprised a guide on mass-scanning for Bitcoin daemons which accept incoming connections, and then bruteforcing them to access sensitive data.<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/image7-2.png\"><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-92652\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/image7-2.png\" alt=\"A screenshot showing some Python code, for a bruteforcer\" width=\"640\" height=\"175\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/image7-2.png 1459w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/image7-2.png?resize=300,82 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/image7-2.png?resize=768,210 768w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/image7-2.png?resize=1024,279 1024w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p><em>Figure 7: An extract from the code supplied in the \u2018Bruting crypt for example Bitcoin\u2019 article<\/em><\/p>\n<h4>Honorable mention: We squeeze the logs to dryness<\/h4>\n<p>In this entry, the author discusses parsing \u201clogs\u201d (presumably logs from infostealers such as <a href=\"https:\/\/news.sophos.com\/en-us\/2022\/08\/18\/cookie-stealing-the-new-perimeter-bypass\/\">Redline<\/a> or <a href=\"https:\/\/news.sophos.com\/en-us\/2021\/08\/03\/trash-panda-as-a-service-raccoon-stealer-steals-cookies-cryptocoins-and-more\/\">Raccoon Stealer<\/a>, which are collections of stolen cookies, browsing history, and tokens) in order to find cryptocurrency-specific information.<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/image8-1.png\"><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-92653\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/image8-1.png\" alt=\"A screenshot of a directory listing\" width=\"640\" height=\"554\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/image8-1.png 662w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/image8-1.png?resize=300,260 300w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p><em>Figure 8: A screenshot from the \u2018We squeeze the logs to dryness\u2019 article<\/em><\/p>\n<h4>Honorable mention: Bitcoin price peak: When and where to exit the crypto?<\/h4>\n<p>In the final honorable mention, the author writes a 50-page article (by far the longest entry) on how and when to sell Bitcoin. It dives into the psychology of investing, cryptocurrency economics, and market cycles, and does not include any information specific to cybercrime, although the content is likely to be of interest to threat actors who hold and\/or trade in Bitcoin as part of their activities. It also includes tips on how to sell Bitcoin \u2013 for instance, staggering sales, investing in stablecoins or tokenized shares, and so on.<\/p>\n<h3>XSS<\/h3>\n<h4>First place: 20 years of payment acceptance problems<\/h4>\n<p>The winning entry in the XSS contest gives an overview of vulnerabilities in electronic payment systems. It discusses the architecture of some of these systems, and typical vulnerabilities within them \u2013 including lack of signature verification; length extension attacks; intercepting and changing price and currency information (a technique that has been around for many years); business logic flaws; rounding, overflow, and negative number errors; and race conditions. It also provides some case studies of vulnerabilities in electronic payment systems that have been exploited in the past.<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/image9-1.png\"><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-92654\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/image9-1.png\" alt=\"A screenshot of an HTTP\/S interception tool and a browser window while making a payment\" width=\"640\" height=\"279\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/image9-1.png 1379w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/image9-1.png?resize=300,131 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/image9-1.png?resize=768,335 768w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/image9-1.png?resize=1024,446 1024w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p><em>Figure 9: A screenshot from the winning entry in the XSS contest. This particular screenshot was provided by the author as evidence that they could intercept and change the payment amount to a paid Telegram bot<\/em><\/p>\n<p>Two particularly interesting things about this entry: 1) it gives readers \u2018homework,\u2019 encouraging them to try various attacks for themselves; and 2) it discusses a specific vulnerability in the XSS forum itself, whereby a race condition in the Bitcoin transfer system allowed users to effectively generate cryptocurrency out of thin air.<\/p>\n<h4>Second place: Remote Potato Zero and Cobalt Strike<\/h4>\n<p>In second place, a much more technical article, purportedly based on the author\u2019s experiences attacking an Active Directory environment where members of the Domain Users group had the ability to remotely connect to domain controllers via RDP. The author sought to escalate privileges, and in their article they argue that <a href=\"https:\/\/www.sentinelone.com\/labs\/relaying-potatoes-another-unexpected-privilege-escalation-vulnerability-in-windows-rpc-protocol\/\">Remote Potato<\/a>, in conjunction with Cobalt Strike, is an effective means to do this in some environments.<\/p>\n<p>The author discusses how to hide Remote Potato from Windows Defender, how to use it in different scenarios, and the use of other tools, including <a href=\"https:\/\/news.sophos.com\/en-us\/2022\/07\/14\/rapid-response-the-ngrok-incident-guide\/\">Ngrok<\/a> and Socat.<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/image10-2.png\"><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-92655\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/image10-2.png\" alt=\"A screenshot of a remote session on a machine\" width=\"640\" height=\"329\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/image10-2.png 1023w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/image10-2.png?resize=300,154 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/image10-2.png?resize=768,395 768w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p><em>Figure 10: A screenshot from the \u2018Remote Potato Zero and Cobalt Strike\u2019 article<\/em><\/p>\n<h4>Third place: Disable Windows Defender (plus UAC bypass and elevate to SYSTEM)<\/h4>\n<p>The third-placed entry includes a tutorial on manipulating privilege tokens in order to disable Windows Defender. Specifically, the author outlines an attack flow involving obtaining administrative privileges with a UAC bypass, escalating to SYSTEM by stealing a token and starting a process, and then disabling Defender.<\/p>\n<h4>Fourth place: Hide your Cobalt Strike like a pro!<\/h4>\n<p>In fourth place, this article is a deep technical dive into various ways to hide Cobalt Strike from detection, and is one of several in a series. The methods advocated by the author include using Tor and OpenVPN for Cobalt Strike\u2019s TeamServer , DNSCrypt, domain randomizers, and a <a href=\"https:\/\/github.com\/salesforce\/jarm\">JARM<\/a> randomizer. The author also provides a step-by-step guide on modifying Cobalt Strike\u2019s source code and obfuscating beacons.<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/image11-2.png\"><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-92656\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/image11-2.png\" alt=\"A screenshot of a Bash script menu\" width=\"640\" height=\"400\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/image11-2.png 1378w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/image11-2.png?resize=300,187 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/image11-2.png?resize=768,480 768w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/image11-2.png?resize=1024,640 1024w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p><em>Figure 11: A screenshot from the \u2018Hide your Cobalt Strike like a pro!\u2019 article<\/em><\/p>\n<h4>Fifth place: Cobalt Strike A-Z<\/h4>\n<p>In yet another Cobalt Strike-related article, but not quite as wide-ranging as the title would suggest, an entrant discusses using <a href=\"https:\/\/news.sophos.com\/en-us\/2022\/11\/03\/family-tree-dll-sideloading-cases-may-be-related\/\">DLL hijacking<\/a> in conjunction with Cobalt Strike.<\/p>\n<h4>Sixth place: Scam crypto big<\/h4>\n<p>The sixth-placed entry talks about abusing the standards of smart contracts, and specifically how to create <a href=\"https:\/\/news.sophos.com\/en-us\/2022\/05\/17\/liquidity-mining-scams-add-another-layer-to-cryptocurrency-crime\/\">smart contracts<\/a> to secretly withdraw a victim\u2019s tokens. It also covers various methods to distribute malicious contracts, including AirDrop, Discord, email, and malvertising.<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/image12-2.png\"><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-92657\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/image12-2.png\" alt=\"A screenshot of some code pertaining to smart contract transactions\" width=\"640\" height=\"244\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/image12-2.png 1157w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/image12-2.png?resize=300,114 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/image12-2.png?resize=768,293 768w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/image12-2.png?resize=1024,390 1024w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p><em>Figure 12: Code from the \u2018Scam crypto big\u2019 article<\/em><\/p>\n<h4>Seventh place: NoSQL injection<\/h4>\n<p>Finally, in the last placed entry, the author provides a primer on NoSQL injection, the differences between it and SQL injection, and a tutorial on some of the causes.<\/p>\n<h2>Other noteworthy entries<\/h2>\n<h3>Exploit<\/h3>\n<h4>We make a hardware cryptocurrency wallet with our own hands<\/h4>\n<p>This entry was particularly noteworthy as it was the only one, on either forum, which specifically covered hardware. The author provides a guide on creating a hardware cryptocurrency wallet, from theory to practice, complete with CAD drawings and photographs. As with the guide on exiting Bitcoin, this article doesn\u2019t have much relevance to cybercrime, and is more aimed at helping users to protect their funds rather than having to trust off-the-shelf wallets.<\/p>\n<p>In line with this aim, the author also provides a lot of OPSEC advice relating to hardware wallets, and information relating to various known attacks against them, including malicious firmware updates; brute-forcing PIN codes; fault injection; supply chain attacks; and surveillance.<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/image13.jpeg\"><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-92658\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/image13.jpeg\" alt=\"A photograph of a breadboard and circuitry on a desk\" width=\"640\" height=\"499\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/image13.jpeg 1380w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/image13.jpeg?resize=300,234 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/image13.jpeg?resize=768,598 768w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/image13.jpeg?resize=1024,798 1024w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p><em>Figure 13: A photograph included in the \u2018We make a hardware cryptocurrency wallet with our own hands\u2019 article<\/em><\/p>\n<h4>Smart contract vulnerabilities<\/h4>\n<p>A primer on smart contracts and the Ethereum Virtual Machine (EVM), and a guide on how to create a basic contract. The author discusses various vulnerabilities, including access control, front-running, time manipulation, arithmetic issues, and re-entrancy, and then moves on to writing exploits to leverage them.<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/image14-1.png\"><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-92659\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/image14-1.png\" alt=\"A screenshot of the Solidity compiler\" width=\"640\" height=\"475\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/image14-1.png 1269w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/image14-1.png?resize=300,223 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/image14-1.png?resize=768,570 768w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/image14-1.png?resize=1024,760 1024w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p><em>Figure 14: A screenshot from the \u2018Smart contract vulnerabilities\u2019 article<\/em><\/p>\n<h3>XSS<\/h3>\n<h4>Elegantly breed daddies on lavender<\/h4>\n<p>In this rather cryptically titled entry, the author provides instructions on socially engineering and scamming customers of webcam models, specifically those users who pay to watch videos of performers. The article covers some details on socially engineering victims and how to build rapport with them, before moving on to obtaining and illicitly selling videos.<\/p>\n<h4>BitTorrent botnet \u2013 from design to implementation<\/h4>\n<p>A relatively innovative entry, this article describes a problem faced by botnet operators \u2013 that control servers are also shut down \u2013 and proposes a solution: the distributed hash table (DHT) feature in BitTorrent.<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/image15-1.png\"><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-92660\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/image15-1.png\" alt=\"A diagram showing peer connections in a BitTorrent network\" width=\"640\" height=\"424\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/image15-1.png 919w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/image15-1.png?resize=300,199 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/image15-1.png?resize=768,509 768w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p><em>Figure 15: A diagram included in the \u2018BitTorrent botnet \u2013 from design to implementation\u2019 article<\/em><\/p>\n<h2>Conclusion<\/h2>\n<p>The fact that users of criminal forums are designing, running, and participating in research contests suggests that they seek to foster innovation, especially with regards to new methods of attack and evasion. The sponsorship of these contests by prominent threat actors is further evidence that this is a goal shared among broad sections of the criminal community. It\u2019s worth noting that, in at least one case, past contests have served as a sort of recruitment tool for prominent threat actor groups.<\/p>\n<p>In the contests themselves, we noted an increased interest in Web3-related topics, particularly cryptocurrencies, smart contracts, and NFTs &#8211; to the extent that Exploit\u2019s most recent contest was specifically themed around this subject. However, even in the latest XSS contest &#8211; which gave entrants a much wider scope &#8211; there were a still significant number of related entries.<\/p>\n<p>More generally, there appears to be a reasonable amount of innovation when it comes to topics like evasion and privilege escalation, especially in the context of enhancing or augmenting pre-existing tools like Cobalt Strike.<\/p>\n<p>However, on the whole, there was less innovation than we expected. Even highly placed articles often contained little novel material, and were sometimes simply basic tutorials or guides containing information that is already public . Certainly, in our opinion, there was less original research compared to many prominent security industry contests and conferences.<\/p>\n<p>Winning or highly placed entries tended to be either relatively simplistic, with a broad appeal, or were focused on techniques which could be put to practical use, even if those techniques were not new. The fact that these entries were voted for by the authors\u2019 peers may suggest that this is reflective of the wider community\u2019s preferences and priorities.<\/p>\n<p>Of course, it may be that threat actors are just not that keen to share cutting-edge tools and techniques with each other publicly, and instead keep their best research to themselves &#8211; perhaps reasoning that they could realize more profit by using them in real-world attacks, rather than by entering contests.<\/p>\n<p>Competitions on criminal forums are a longstanding, albeit not widely known, feature, and are likely to continue in one form or another. But, going by the most recent entries, they are not likely to become a hotbed of disruption and innovation in the near future.<\/p>\n<\/p><\/div>\n<p><a href=\"https:\/\/news.sophos.com\/en-us\/2023\/08\/29\/for-the-win-offensive-research-contests-on-criminal-forums\/\" target=\"bwo\" >http:\/\/feeds.feedburner.com\/sophos\/dgdY<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2023\/07\/shutterstock_670511968.jpg\"\/><\/p>\n<p><strong>Credit to Author: Matt Wixey| Date: Tue, 29 Aug 2023 10:00:17 +0000<\/strong><\/p>\n<p>We explore some of the entries in recent cybercrime research competitions, and what they say about threat actor innovation and priorities<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10378,10377],"tags":[11638,129,28040,27030,16771,15775],"class_list":["post-22794","post","type-post","status-publish","format-standard","hentry","category-security","category-sophos","tag-exploit","tag-featured","tag-marketplaces","tag-sophos-x-ops","tag-threat-research","tag-xss"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/22794","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=22794"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/22794\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=22794"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=22794"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=22794"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}