Phone Pharm Phakery back in Jul of 2024 covered how click fraud and other activities are done at scale using phones and automation software. Two months prior to that there was a CyberScoop article about Operational Relay Box Networks, which I marked as interesting several months ago, but only now noticed this piece lurking in my drafts folder.
My experience in this area is defending against such things and part of the December intrusionfest involved a swarm of systems in southeast Asia. I don’t imagine they were espionage related, given the pedestrian nature of the victim, but the patterns are there.
Let’s explore this area a little bit and see what insight we can garner from it.
Attention Conservation Notice:
This is going to be device and host security stuff. If you’re not doing hands on remediation, maybe just mentally note that there’s information about such things here, in case you ever need some deeper knowledge.
Defenseless Devices:
Attackers will try to compromise all the things. One ISP’s 600,000 Dead Routers, back at the start of June, 2024, was a curious tale of woe. I’m sure that was a disgruntled employee, but if a ORB farmer happened upon a treasure trove of that size, and they could manage it surreptitiously, it would be like bringing in a gusher oil well.
The more usual course of action is that a bad actor gets information about an exploit that will work against a type of router. Then they go to Shodan, or perhaps their own internal database, if they’re a large enough player, and start working through the list of vulnerable machines. The first thing you can do with a compromised router is set it up as an exit. The ORB network operator sells their client access to a certain number of systems in a specific geographic area.
The other thing that’s possible is snooping the victim’s traffic, but I’m not sure how common that is. Poorly protected consumer routers in large flocks are not particularly powerful, nor do they usually have traffic capture capability. I have a Mikrotik RB941 I use for testing - a $30 device, and I keep buying this type because they provide SPAN (sniffer) port capabilities. I can put the Mikrotik and a Raspberry Pi5 in my backpack with a couple patch cables, all together it’s a half pound of potent troubleshooting kit if I’m out and about, dealing with a badly behaved network.
Several years ago I was tracing a right wing extremist, I found where he’d slipped and showed he was using Russian DNS servers, and he was pushing an Android application that provided “HOT BIKINI GIRLS” backgrounds. The marks would install it, they get their titillation, and he got another phone with the Andrax toolkit on it. The game is a little different with cell phones - they’re used like compromised routers in that they’re an end point, but the client is wise enough to avoid using the cellular network. When the phone is at home on WiFi, a low bandwidth stream will pass unnoticed. When it’s on the network at work … the victim is giving a bad guy a foothold inside a private space.
Defended Devices:
Hosting systems are another popular target, but they’re dramatically more capable than a consumer device. It’s very normal for a poorly maintained Linux system to get cracked, patched by the intruder, and then they play nice in terms of resource use so they maintain access.
My work last month involved a poorly defended system that was cracked and then lightly used. The intruders were aiming at the domain of a small business hosted on the system. They had come to within a phone call of making off with about $95,000 in November and they were frantically trying to replicate the circumstances. Today that system is on a shiny new VPS with a touchy adaptive firewall setup. I wanted to banish all of the IP address blocks from APNIC, AfriNIC, and LatNIC, but there’s just enough international business to put that out of reach. I haven’t given up on making the machine a even bigger pain than it already is, tonight I’m just resting :-)
Four times in the last three years I’ve had Hexnode running on all of my devices, and then for various reasons things didn’t move forward. Fourth time was a charm, Hexnode is funded, and I even went so far as to bring in a little Windows 11 machine so I get familiar with it. This framework will protect Android, Apple, Windows, and various kiosk systems. There’s no Linux support and that’s just fine, securing it is much simpler than any graphical OS.
Conclusion:
Did you notice Where Globalization Dies or But Alas, We Live In Interesting Times? Exec summary: China and Russia are sabotaging submarine cables in the Baltic and around Taiwan. Did you notice Avoiding Salt Typhoon? China has cracked a large portion of our cellular network providers. There is some coordination to it, but don’t imagine Putin and Xi on their respective red phones, coordinating each step. There are a network of network threats looking at us, some stealing, some snooping, and some looking to do actual real world harm.
Way back in September 27th, I said We ARE Fighting. The U.S. has long been a “hot” cyberconflict zone from my perspective, two weeks from now there will be tens of millions of brand new targets, and a whole bunch of people are going to be dealing with a dramatically escalated base threat level. Prepping for this was a direction I quietly set for myself at the start of 3rd quarter last year. I would like to have been much further down the road, but I can’t complain with about where I am at the moment.
Just the other day, in Snitchuational Awareness, I suggested I might replace one of the articles on the masthead with a new piece that contains best practices for those who will need to do some of their own counter-intelligence. I’ve previously kept the technical stuff in ToolTime and there’s an article for that, but it very much speaks to those who are roaming around, looking at all the things, and perhaps engaging. I think that’s going to get an update, adjusting it to speak to those who know they need better defenses for themselves, or for small groups.
When I use to perform “network exploitation” ..
I would set a simple crontab on Juniper routers to execute /cf/var/home/username/.vimrc which contained a line echoing a ssh public key I made into the /cf/var/home/username/.ssh/authorized_keys .. it was a simple way of maintaining access, after obtaining it.