Hear Ian Thornton-Trump speak on “The Art and Science of Post-Perimeter Security” at the ChannelPro Cybersecurity Online Summit on August 5th. Register here!
Cyprus amended its constitution in 2013 to allow for the extradition of Cypriot nationals to European countries and various others on the basis of a European arrest warrant or a bilateral or multilateral treaty.
In July 2020, the United States Department of Justice (DOJ) received its first Cypriot cybercriminal, Joshua Polloso Epifaniou, who had been in jail in Cyprus since 2018. At the time of his arrest he was 18, but according to court documents his computer-related crimes date to 2014—meaning that Epifaniou was 14 years old when he began his now short-lived cybercrime career. He is now 21 and about to face the full force of the U.S. DOJ.
Epifaniou is charged with conspiracy to commit wire fraud, wire fraud, conspiracy to commit computer fraud and identity theft, and extortion related to a protected computer. Interestingly, he was wanted and indicted for crimes in both Atlanta and Arizona. The victims include:
- Armor Games, a free online game publisher based in Irvine, Calif.;
- Adafruit Industries, a hardware company based in New York City;
- Snagajob, an online employment website headquartered in Innsbrook, Va.;
- Bleacher Report, an online sports news website owned by Turner Broadcasting System in Atlanta, Ga.;
- Ripoff Report (ROR), a company located in Phoenix, Ariz.
His approach was simple: extort a Bitcoin ransom from these businesses by convincing them that he was in possession of customer information and would publicly disclose it if no payment was forthcoming. Given the variety of the businesses Epifaniou targeted, a deep dive into his methodologies provides valuable intelligence that could help thwart similar attacks on other organizations in the future.
Epifaniou profiled his targets by using Alexa Internet, a web traffic analysis company, to determine the size of each company. His first two victims, Armor Games and Adafruit, appear to have had security vulnerabilities on their public facing websites. “Epifaniou gained unauthorised access to the public website through a security vulnerability and injected malicious code into the website to exfiltrate user and customer data”, said his indictment.
The first useful piece of actionable intelligence that can be gleaned from Epifaniou’s case, then, is that the use of a free or paid for website vulnerability scanner on a monthly or quarterly basis should be de rigeur. Detecting and remediating website SQLi vulnerabilities would have thwarted Epifaniou’s attack.
The tactic in the Snagajob and Bleacher Report attacks was similar but with a couple of interesting twists which, from an intelligence perspective, will provide valuable information. Epifaniou did not exploit these two websites; instead, he engaged with a co-conspirator who had breached the victim’s networks previously and exfiltrated some of their data. Epifaniou lied to both victims, clamming he had the full database. Bleacher Report asked for verification of the data before payment and using the fraction of the data he had, Epifaniou convinced Turner Broadcasting that he had all their data.
This, then, is the second piece of actionable intelligence we can glean from this situation: not all data breaches are complete data breaches. In some cases, they could be just a portion of your data or recycled data from previous third-party breaches. A monthly “security database record” can be added via an SQL script to your database. Using an example like “Mr. August”, Mrs. July”, or “Mr. September”, you will then have placed a security record into the data whereby you can demand the malicious actor provide the specific entry for the record number of the first and last security tokens that were added to the database.
There is an added bonus to this security control. Should your database be publicly disclosed the last security token that was added can give you a time estimate in terms of when the database may have been stolen.
The crimes Epifaniou is charged with in Arizona relate to one victim—ROR. His illegal access to the ROR data base was facilitated by using a brute force attack to guess an account password, possibly the user “SA” who had administrative privileges to access the database.
These are the third and fourth pieces of intelligence we can use to both prevent and detect a malicious actor’s activities. If an admin account is compromised by brute force, it simply means that the password was too common or not complex enough to withstand the cracking attempts. To protect administrative and service accounts, therefore, the current best practice—as suggested in 2019 by a big four accounting firm conducting a security audit for a billion-dollar financial services firm I worked for—is a 16-character, complex, and random password.
The penultimate intelligence nugget stemming from this incident concerns building the capacity to detect and prevent brute force attacks. This can be done with all sorts of different technologies ranging from web application firewalls to SIEMS, but these solutions can be overly complex, expensive, and difficult to justify for a low volume website. The information needed to defend against this attack will be found in the logs on the database server. Brute force attacks are noisy and usually the attempts are made from a single IP address which will stick out like a sore thumb.
SolarWinds Paper Trail, a cloud-based log management solution can easily deploy this capability to any organization. By building a few simple alerts to parse the logs you can easily detect brute force and password spray attack patterns coming from an IP address—which you can then block from access. You can implement this detection capability for as low as $7.00 USD a month or with some simple Bash, Python, or Windows scripting programming.
The final piece of the actionable intelligence puzzle that we can take from Epifaniou’s cybercriminal activities was his monetization of his illegal access to ROR’s website. It is alleged that he worked with:
“…an associate at ‘SEO Company,’ based in Glendale, California, to identify companies that might be interested in paying for removal of complaints posted on ROR’s website. Epifaniou and his co- conspirator removed at least 100 complaints from the ROR database, charging SEO Company’s ’clients’ approximately $3,000 to $5,000 for removal of each complaint.”
Depending on the organization and the business that is transacted, most companies do not delete records unless there is a specific and generally approved reason. The deletion of records, therefore, is another easily identifiable activity that could have tipped off defenders had they been monitoring the SQL activity logs. The initial attack on ROR began on 18 November 2016 with the monetized access commencing on 9 December 2016 and ending on 9 May 2017. For seven months, Epifaniou had complete control over and access to ROR’s database.
There are so many things that we can learn from this cybercriminal’s activities, all of which are chronicled in the two indictments. The most pertinent piece of threat intelligence, however, relates to the events of 30 October 2014. Epifaniou removed database content from Armor Games’ website and took it offline. After a ransom was paid, the website was restored by Epifaniou on 31 October. Several days later, on 5 November, Epifaniou once again demanded a ransom for exploiting the SQLi vulnerability that he had used to conduct his first attack.
One would think that after their website had suffered such a significant incursion—notwithstanding its rapid restoration less than 24 hours later—Armor Games would have taken immediate steps to secure their website. It was clear a serious security problem existed, and Armor Games had paid two ransoms to the same attacker in less than a week. Calling in website security experts after the first attack had been detected would have been the prudent and intelligent course of action to take.
IAN THORNTON-TRUMP CD is an ITIL certified IT professional with 25 years of experience in IT security and information technology. From 1989 to 1992, Ian served with the Canadian Forces (CF), Military Intelligence Branch; in 2002, he joined the CF Military Police Reserves and retired as a Public Affairs Officer in 2013. After a year with the RCMP as a Criminal Intelligence Analyst, Ian worked as a cyber security analyst/consultant for multi-national insurance, banking and regional health care. Today, as Chief Information Security Officer for Cyjax Ltd., Ian has deep experience with the threats facing small, medium and enterprise businesses. His research and experience have made him a sought-after cyber security consultant specializing in cyber threat intelligence programs for small, medium and enterprise organizations. In his spare time, he teaches cyber security and IT business courses for CompTIA as part of their global faculty and is the lead architect for CyberTitan, Canada's efforts to encourage the next generation of cyber professionals.