[UPDATED] Finding the (Alleged) Equifax Hackers

 

[UPDATE 9/11/17] SCORE ONE FOR THE GOOD GUYS

Shortly after this blog post was circulated on Friday, Chris Monteiro (aka @Deku_shrub) reached out about his efforts. He was successfully able to get ahold of the hosting administrator for the Equifax hackers and got the website shut down!

Here is what the website looks like now:

Untitled.jpg

So good job everyone! The good guys were able to rapidly identify and shut down the bad guys before any harm was done. In a world where most Threat Intelligence shops are only open during business hours, a few good players stayed around after everyone else went home and made the world a slightly better place!

You can read my original writeup below. You can read @Deku_Shrub’s article here:

ORIGINAL POST – Finding the (Alleged) Equifax Hackers

In case you’ve been living under a rock since the afternoon of 9/7/2017, it should come as no surprise that Equifax recently disclosed one of the worst hacks in history. Equifax states that the incident potentially impacts approximately 143 million U.S. consumers, and an unspecified number of customers from the Canadian and the United Kingdom. The data includes Social Security numbers, birth dates, addresses, driver’s license numbers, ~209,000 credit card numbers, and additional personal identifying information for 182,000 consumers.

Shortly after this breach was made public, a darknet website had popped up claiming to be selling access to the Equifax data. The hackers claim that they did not anticipate receiving such a trove of data, and need to monetize the attack quickly. They state that they will release the entire data set on September 15th, 2017 (one week from the time of the writing). They are asking for 600 BTC, or ~$2.6 million USD.

Untitled.png

These are HUGE claims, and affect nearly EVERY ADULT IN THE UNITED STATES. So, naturally, this warrants an investigation, and quickly!

The website is here, (use Tor) http://badtouchyonqysm3.onion/index.html#.

WHAT WE KNOW

The website tells us the following details:
Email: Pasthole@national.shitposting.agency
PGPKey: 0x69074438
—–BEGIN PGP PUBLIC KEY BLOCK—– mQINBFmyEqUBEADbLJpJmOAd0jQ8YesV4rEcnRqViKoM3Rxf+0TBC8R2PQCR/Pb+ WoXDdU1YRDckDkaGxzcgHKAXEBU3e7+kisu3cI51WX3FJyne+euE/j+oy3UJEGvH VlZqiO3T6zvENj1xjtNKxvCXGr3lOclKKjIh4XXrgV8oZDV628pTW6NvMDr6zLqc YI5gGYiccmE0SpnFainObqp7LgNY5wO0gPzojeUnmV+EK67cBQOO9/YrbpynjDq1 QzPNFmEVbeVJRx+BGq8k5cVA17fONF0K5t2BXhs07oUxyfj6cp5Or4OAzxMi3PMC a3EKDkNp4FErkcFcTtHNobrT/DJf5t7jLTe4ZmJa88YTLsRO7ZY0P7puFRIpwDJw T2M+cl985Rr2IKoUmtidjRn71DhFj2E8taxfRs+ZEbwKHV2nHAp1ddTw2BDAhWvO KOYvvSDzxUOQrf9B5+NrWIydxYPWX3x1laYfwZZwoM4NB340bULnyCh33GTgRikn ldXefluKpbtBduFBIW5XSBjGoRVRcny7a/zqFqa46r/dlf3rA2P+oYCBNSVhmMs7 bZyVjWrS5tKPR6NIH8isR4inO6rVUWHp55K1iCmXAAClD/0ytgjuLoBTOWuoXk+P DBpgjqAeRDcDaypIYphANvaSod6EVk6V/nqJYLN+fMPr65JmXllE2ODtswARAQAB tC9QYXN0aG9sZSA8cGFzdGhvbGVAbmF0aW9uYWwuc2hpdHBvc3RpbmcuYWdlbmN5 PokCPwQTAQgAKQUCWbISpQIbIwUJDShogAcLCQgHAwIBBhUIAgkKCwQWAgMBAh4B AheAAAoJEAhZPbtpB0Q4D/YP/R2vdxS8Jh8d065KGxWsFbPSLj1+/Jyo6F8VT6KD ChswUM2ICBeXjFpx/OwZpjLDRO+t69MtrdtOKI6dazDCc6DtEMMoi/eDrjPC1Cj7 pqF3FcI+VPlfpF+SYJoeRlmwwb8qsWrqcB222kEZgb2T8TpmADFqq7d8j+HKV+LZ HZ+9byccFZoVMyMiw9wVIzF981t7z2yTMOb4NWIuVrw3NTXHWauYSfsM7wr0xZpZ 4WWqo8RpBjxCwjcR1wFVpoZ8e2zd8qRdfqHaxR6hLwZ3Dx3POFRWbJd/ftsdLnlD lgpg4O5dC+BWjxJk8d6SCs8BUzczJPGqsaJd7wKGSyUP7//BJSLwBh3ybeY08R7L aWs/vvohL6ZoBkBmOMxJod/K5YQnmyPK+jahL4QrtFNKYwRHq67EeLDSeLD5ZK+b 6b9u1dDjwjwV8suh4v96+y5Oz5SdBGfE8B3078hm89kE1sfzjQHnYp4FuBGCZ3LZ 4BBAlqIfj2zbPcqmlc7QGudUmWNp89B4yF7DfD8bpybMiHkBWiyYgDNjDn/vSHMI Id8ZN6zNN4Raxk+ikRrk79gVDUcjax+wF6WuDIJbKl2DwJk+bvQ+bNPqrNYmCgyv qW7B+ni3t/i1K+nwNOJj+jVPplC9T31ePs1KEKJAt5xYSVwqtL9Zfxn9IH5gj4nl wcwCuQINBFmyEqUBEADfgeCn8MPl5EvFDvfWyLT7yQqoulhM87oWQT+vnItYxLou l5wdtC1dtp5HEtCiwdpc4+CPWxIWD33RZQliKOUWGKX8zairP0Ki1CzqjrKYFDXA XvuIhxALGi2Qd0PuNhWFrBsl7YvzWZ6Uw0Gr4FgUfPpCwTAaAoLFZwlUW9p/tbpX fmpTAeefArQrSVLxolH/45MIyHDYzFysT8xVVU4uboPFRpKi1sLtrU8plUSBOHLa IDpXNJAp1KS6vWIF8T8rmzvDUKv3ReIoNXaiPTzySKamkA4OEA7Y7ZuuM/G7fq5N s7Feg8uVbIaplFqhbqLCPrFkwcA0sdDkYDilAOWL5srJSRUyNsusq6Xih7S5hS4y U6pG0T1cXhUAcz0/HrQxIj+MyVOPDWJsdj9Z1/6oRIcHdblg66xYhKYD7jvgY5+f nDe4KeG24KaIQ2gwinnWHw333kvQjJHcKOGQUFq6nMjYV9TUFR1A76Gu93RrZwT8 cre+E7PUq5rkV2feI2KlQRJ96sLtmtfmXaibOwg9LfbKeaNF6edau1kYqL/RWzSx R2C4sPgh5HPod5D5GB6Lzojj4fhruvJQeFFoBQLZ1b4cQMYKVnTtBt4+fZefjZbb xkmjCR4QJAVukJSX/F4MjxyPsGA4uDLluD/cHpMOL44lmyYUNaU437Ng0MFteQAR AQABiQIlBBgBCAAPBQJZshKlAhsMBQkNKGiAAAoJEAhZPbtpB0Q4FekQALLtAqfS lJhzMVOjg9Jt+MTPqFdUuo38oGBwiakmtHVG+3MuwdspR25yfsV2O9UwCAu6tnGJ IIcVtZIIuOhkqPEJSTzCmkdz7SRUpV1aj9tC4AbkLjX5tQYjhupTsyEt5+gYUYTz XoggdEF/TOPGVelj/o5ZUhLUdzwC6y4Y8QY8A0mHSWhuB05UfDexheHjC7At5CbI /aEoAX9BsLlc+Im3FnqyIhiHPw+qQ0P1op+/oKuKwjiZOaV7/Amh3sbnznEReDP/ oMmhl1TFpV5C45Ltcgj4uBHnVAhYEXdom400aNpqzv2SqQlDLAYwCFD9/5HHW41l 09ea2zomNubArvtsxtn5ohYvd3yBkutqW7iOW1Rs3KaBasvDMJQ07RLIJO0WOTVc MNMML2lodaRABgWEl4tV9xLpHs5T1mQx4sUBaHXvqIwuGcQsOP7cRZuWMkDJoT4y UnFxirzkF6D/7LyBp62Tyr5pii/MXAguobvguZ4pcgELha6Az8spgZPNu4gaTLGN dgAPqerDEa6lPoJv+CN1QQKwx8IMHUTy/Rv9xAjoK5SwDYkABDDIO5AxDdNEknL/ sk2MkYI9+fQKWhd+rWKQL729Nsfh8cuJPxiXkVBvpRQmW0w9EJOJSKNKALLBaETN AVfiMbveYrLw7iso104OHi76zBnHcTN+JfnU =ECQC —–END PGP PUBLIC KEY BLOCK—–

 

WHAT ELSE
IT’S ALWAYS ABOUT THE CONFIGURATION!

I’m going to save you the tedium and techno-jargon. With all this stuff, you try 100 things that fail before you hit on the gem that forks over the data you’re looking for. Please just understand that every time you see that an analyst did something like this, it took A LOT of work….

Untitled

What you have there is my computer using telnet to connect to port 25 of badtouchyonq7sm3.onion. This is (typically) an SMTP port. These are used for email.

What I have highlighted in that screenshot is what the server sent in response. The service listening on port 25 of badtouchyonq7sm3.onion is saying “HELLO, I am the email service for dhosting4okcs22v.onion!”

Well, that’s EXACTLY the type of misconfiguration we were looking for. After a few double-and-triple checks to make sure the data is good, we have a lead!

SMTP at dhosting4okcs22v.onion
At this point it was almost too easy. By going to dhosting4okcs22v.onion in a browser, it was quickly apparent that I was at a “make your own darknet!” service! For no cost, hackers (or anyone) can navigate to this darknet website and standup their own darknet service in seconds. This is actually a really cool service, run by Daniel in Germany!

Untitled.png

 

Now, Daniel in Germany is not the bad guy here, merely the service provider. Getting angry at him would be like getting angry at gmail for a nastygram sent by yourmom@gmail.com. It’s not his fault. But lets see what else we can find….

Untitled.png

This hosting service helpfully provides a list of all the darknet websites he hosts! Since we really only care about one of them (and I’d rather save my eyes from wandering around the darknet too much in my free time) lets just Ctrl+F and see if we can find our Equifax Hackers!

Untitled

 

And bingo!

So the bad guys (accidentally) told us where their server is. The service provider told us that they ARE the server for the Equifax data. That’s kinda all you could ask for!

Daniel from Germany also has a public facing website, which allows you to access your hosting service, right here! https://danwin1210.me/.

Now there are TONS of things you can do from here, I, for example, setup my own hidden service with the same platform and found the IP address for it (wondering if it would be on the same physical server as the alleged Equifax hackers).

I’ll leave the rest up to your imagination.

 

Oh, and I THINK the hackers maybe misconfigured a thing and leaked their BTC address I’m not sure what this is, but it LOOKS like a BTC address. *shrugs* whatever. 17vkHnkXwYaSRiLipEWNWvNqPvC51ZBswy

Author: WvuAlphaSoldier

Current Cyber Guy, Former PSYOP guy. Always WVU guy. This is a personal account. I am gunna be personal and NSFW sometimes.

1 thought on “[UPDATED] Finding the (Alleged) Equifax Hackers”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s