An Introduction to Crimeware-as-a-Service

Ever noticed that almost every piece of software wants you to subscribe to it these days, rather than owning it?

Business solutions especially have embraced this model, taking recurring revenue as the goal rather than one-time large sales of software packages.

For those unfamiliar with the model, it's known as Software-as-a-Service or SaaS for short.

The end users run a client of some description to use the software, but the vendor is the one that retains ownership of the product overall. This can decrease implementation costs and help the bottom line of a company - but they aren't the only ones profiting from this model.

Cybercriminals have always been an enterprising bunch, but did you know that they're implementing the SaaS model themselves? And that it's really working?

This article is a quick introduction to the world of Crimeware-as-a-Service.

"Back in MY Day...we had to INSTALL a crimeware server and run my OWN attack!"

The standard business model of a malicious hacker, and cybercrime in general, used to centre around a tried and tested model:

1. Choose a target and conduct reconnaissance.

2. Set up your plan of attack and either write or purchase hacking tools from the more nefarious corners of the internet.

3. Breach your target's network perimeter and exfiltrate sensitive data, intellectual property or compromising material back to your own computer/server.

4. Try and sell whatever it was you stole or managed to get hold of during your attack for as much as possible.

5. Don't get caught doing it. Then rinse and repeat steps 4-5!

This was essentially your way of getting paid as a malicious hacker, back in the day and up until fairly recently. This method of making a buck required a lot of technical skill, networking knowledge, tradecraft and business knowledge.

Network security back in the early days was not at the forefront of the technology landscape, and enterprising hackers took full advantage.

The work was difficult, risky and came with hefty prison sentences should you get caught.

But like every industry, it changes and evolves with the times.

Commercialising Crime - The Rise of Commercial Hacking Services

Just like those in more traditional criminal enterprises (drug trafficking/dealing) have taken full advantage of new technologies to avoid law enforcement - like encrypted messaging applications (Signal,Telegram etc.),so too have cybercriminals operating primarily on the Internet.

Hacking used to have fairly large barriers to entry, especially with industrial targets. Apart from the technical knowledge and skill required to make an attack successful, an attacker would require a fairly solid and well-maintained infrastructure of their own to make a living out of cybercrime.

This certainly isn't true any more - moving away from just a simple data trading business model where the spoils of any attack were sold to the highest bidder, to a model where infrastructure, toolkits, exploits and reporting are bundled into a handy subscription package.

Ready, aim, hack.

Finjan (linked to ZDNet article, as original report is no longer available) wrote in a report that crimeware had become a matter of:

Let's take a look at some notable examples of enterprising criminal outfits taking advantage of the service-based business model and the rise of cloud computing to industrialise cybercrime.

Case Studies: Hacking Businesses for Fun and Profit

The Shadow Brokers

As adverts for your criminal services go, the WannaCry global ransomware attack was a pretty good one.

The Shadow Brokers are believed to be a hacking group responsible for multiple leaks of state-level hacking tools, most notably from the National Security Agency (NSA).

One of the exploits from their fifth leak (titled "Lost in Translation"), ETERNALBLUE, was used as part of both the WannaCry and Petya ransomware attacks of mid-2017.

Their name is believed to be derived from a character in the Mass Effect series of videogames - who controls and influences events by trading in information, whilst never allowing one side to gain a significant advantage over any other.

They too, began by simply trying to auction off or directly sell the exploits and code they stole, but have since made their operations more sophisticated.

In 2017 it announced it was launching a subscription data dump service for customers to access exploits, zero-days, and hacking tools stolen from the NSA and other U.S government agencies. All for only $23,000 per month!

Think HelloFresh for hackers - the ingredients delivered right to your door in a neat little wrapper.

Attribution-wise, it is believed that the Shadow Brokers are Russian in origin, but nobody truly knows at the moment exactly where they're operating out of.

The Bushido Botnet and DDoS Cannons-for-hire

A Distributed Denial Of Service (DDoS) attack refers to an attack conducted by firing gigantic amounts of traffic at a given target (usually a website) to stress their network perimeter to the point it collapses. This results in the target going offline, or becoming more vulnerable to further attack attempts.

Generating this amount of traffic requires a lot of computing power, more than any one person could ostensibly have in their house. So where do they get all the computing power from?

Easy, they use yours.

Compromised machines (achieved through a variety of means) have an "agent" installed on them. These "agents" are small programs that beacon out to a command and control machine/network in a remote location off-network. These beacons let the command and control (C2 for short) machine/network that the machine is on and operational and also receive the instructions for the infected machine (or bot) to carry out. This creates a centralised network of bots, or a "botnet".

There have been some immensely successful botnets in the past, and one of the most famous botnets is Mirai.

Most botnets work the same way - infecting a large amount of computers and machines with persistent malware that allows remote instructions - but the Mirai botnet is one of the few that has had its code open-sourced, or at least released to the public.

This code was repurposed and extra functionality added, to create a functional botnet of web servers and IoT (Internet connected devices or Internet of Things) endpoints to create the Bushido botnet.

If you're genuinely interested in the nitty-gritty of how the Bushido works at a host-level, and how the malware does its job - this article on D3xt3r's Lab on how he reversed the Bushido IoT Botnet malware is absolutely fascinating.

Fair warning, it's not a massively easy read, but very interesting.

This has meant a gigantic reduction in the complexity and skill of using a botnet to carry out DDoS attacks, sometimes termed as a "DDoS cannon" as it "fires" traffic at a target in a singular direction to knock it offline. Novice attackers can simply rent out the infrastructure required for a few hundred dolllars or even the entire system with reporting capabilities for a few thousand.

Some of the operators of these botnets for hire even have tutorials and tech support, to help their customers make the best use of their illegal DDoS cannon.

It genuinely boggles the mind, when you think about it - that there's a solid chance that cybercriminals have better customer services than most legitimate companies.

Let's look at a player in this market that has really taken the cybercrime-as-a-service business model to heart.

0x-Booter

This is what professional cybercrime-as-a-service looks like.

0x-Booter is a DDoS Cannon-For-Hire service that rivals some actual service companies in regards of user experience, design and pricing strategy.

Powered by the Bushido IoT botnet that we just talked about - the technical skill involved in setting up and executing a successful DDoS attack is...signing up.

Like, literally anyone could use this.

This is an illegal service, marketed, presented and run like a proper business. They advertised on social media, with a cross-platform marketing strategy. Offering 20,000 bots for rent and a possible attack size of 500Gbps (according to this Cyware article on 0x-Booter), for prices ranging from $20-120 depending on your needs and requirements - it's a compelling offering for your novice (or somewhat lazy) hacker to start knocking targets offline.

Cyware's research found that their capabilities didn't quite match their advertising, reaching 424 Gbps using 16,993 bots. This should be held in perspective though - it's more than enough to do the job for most targets, especially those without specific DDoS protection like Cloudflare.

0x-Booter even has service tiers, with different pricing depending on your needs and budget.

This business model has proved to be pretty successful too - according to a great report by Fortinet :

As you can see, the game has most definitely changed when it comes to how cybercrime is conducted.

Professional-grade outfits, running clean websites and conducting solid marketing plans are selling browser exploit kits, malware, DDoS cannons, botnets and other malicious softtware at prices to suit your budget. They tailor service packages to their customer and offer tutorials and tech support to make sure you're happy with your puchase. Some large operations even have helpdesks to raise tickets for when their cleanly designed web-based user interfaces malfunction.

It is very much a different ballgame to previous years - especially when hackers are not only implementing increased technical knowledge to evade forensics and law enforcement personnel, they're implementing legitimate business knowledge and techniques to make a booming business out of it, too.