What Happens When Cybercriminals Let Their Guard Down

• Hackers who go by the online name ‘Lab Dookhtegan’ had revealed details about the inner working of an Iran-based hacker group OilRig.
• Malware like Readtup and Gootkit were tracked down due to flaws in the design of their C2 infrastructures.

The area of the cyber threat landscape is vast and varied. It witnesses several attacks from cybercriminals that includes malware, exploitation of vulnerabilities, phishing emails, or unauthorized access.

Different threat actor groups specialized in their attack techniques and the use of malware target specific industries to steal more data or generate revenue. However, these bad actors often leave back a major security loophole which makes it easy for security experts and analysts to crack down their activities.

Many times, rival hacker groups are also involved in the major revelation related to the work and operations of hacking groups.

Here’s a look at some instances where cybercriminals and their malicious operations were tracked down by centering their security lapses.

Major incidents

Hackers who go by the online name ‘Lab Dookhtegan’ revealed details about the inner working of an Iran-based hacker group OilRig, also known as APT34 and HelixKitten. Lan Dookhtegan had used a Telegram channel to dump information about threat actor group’s infrastructure, hacking tools, members and victims.

Apart from OilRig, cyber-espionage operations related to MuddyWater hacking group and Rana Institute were also published online via Telegram channels and websites on the Dark Web and the public internet.

Avast researchers along with French law enforcement agencies took down the backend infrastructure of the Readtup malware gang after discovering a design flaw in the C2 server communications protocol. The malware had effectively disinfected over 850,000 Windows systems.

A bunch of cybercrooks had left exposed a database that contained a huge of stolen data. The stolen data belonged to customers of Neuroticket, Ticketmaster, TickPick, Groupon and more. The criminals were using the details to conduct identity fraud before the database was taken offline.

In another major mistake, a criminal gang behind the Gootkit malware had left MongoDB databases open to the internet, thus giving a security researcher Bob Diachenko an opportunity to gain an insight into their operations. These databases contained a total of 38,653 infected hosts aggregated by three Gootkit sub-botnets.

Avast researchers also took down the notorious campaign of Geost botnet that had been active since 2016. They were able to bring down the botnet as the attackers using botnet had failed to encrypt C2 servers and their chat sessions. With the botnet, 13 C2 servers that ran hundreds of malicious domains were brought down.

Uzbekistan’s SandCAT APT exposed its malicious operations by testing its malware against commercial anti-virus software. The threat actor transmitted binaries of its dodgy files back to Kaspersky researchers.

The bottom line

It is safe to say that cybercriminals are not immune from the same errors in judgement and threats that are faced by organizations across the world.