Three Ways that Security Researchers Trolled Hackers

The year 2016 has not really been a standout for information security. This was the year that the Russians hacked the DNC (and now the RNC, apparently), the year that ransomware authors bricked an entire transit system, and the year that the IoT literally broke the internet. Like most of the population, the security community can’t wait to say goodbye to 2016.

In light of all this bad news, we wanted to share a few rays of sunshine. Not all malware is created equally, not every hacker is an unstoppable mastermind, and not every company is riddled with vulnerabilities. Here are a few times that security researchers, white-hat hackers, and other good Samaritans were able to pull one over on the bad guys.

Transit Hackers Get Hacked Back

The big news over Thanksgiving weekend was that a group of hackers managed to fully encrypt the fare terminals in San Francisco’s municipal transit system. Much of what follows that story is good news: the city decided to give free fares to all commuters, and the transit terminals were un-encrypted without any ransom having to be paid.

Part of the hacker’s shtick was to plaster every infected endpoint with a message saying, “You are Hacked!!!!”, as well as a contact email for an encryption key: [email protected]. Seeing this message, an anonymous security researcher was able to find the hacker’s email account, guess the answer to the secret question used for password recovery, and then break in.

Not only was this accomplished using literally the easiest hacking method known to man, but it also exposed revealing secrets about the attacker. We now know the tools he commonly uses, his likely location (signs point to Iran), and several of his other victims. Using this data, it may be possible to triangulate his location and stop him once and for all.

Security Researchers Pwn Ransomware Author

Not all ransomware is created equal. A variant named fs0ciety (an homage to TV’s Mr. Robot) had been plaguing users since August 2016, but in late October, the author apparently decided to hang up his hat. He approached security researcher Fabian Wosar and offered him what seemed like a sweetheart deal: 200 decryption keys and a working source code copy for just 100 Bitcoins (about $78,000).

Little did the hacker know that Wosar had already hacked into fs0ciety’s C2 server and pillaged over 11,000 decryption keys—for free!—and had been secretly using them to help the attacker’s victims. The hacker was so enraged and dismayed by this revelation that he lashed out at the researcher on Twitter before shutting down his entire operation.

White-Hat Hacker Tries to Shame Us Into Better Passwords

One of the huge problems with the Internet of Things, is that the devices use hard-coded administrator passwords, which no one ever seems to change. This is how botnets like Mirai were able to log in and infect vast swathes of the IoT in order to launch some truly terrifying DDoS attacks. Leo Linsky, a security researcher with some out-of-the-box problem-solving skills, has proposed that we try to fix this problem—by using malware.

Here’s the concept: Mirai works because it stores a vast list of IoT device passwords. As soon as it sees a device online, it tried to login and infect it. Linsky’s idea is similar, except instead of using the infected device as a component in a botnet army, Linsky’s concept simply changes the default passwords and deletes itself. To be fair, there’s approximately zero chance this virus will ever be used in the wild—but it’s nice to dream of such an easy solution to an incredibly complex and frustrating problem.

Time to Shut Down Hackers with SentinelOne

Are you jealous of these success stories? Do you wish that you could effortlessly blunt hackers’ efforts to attack your most secure systems? SentinelOne can help administrators defend their servers and endpoints against both known and unknown threats, using a combination of static analysis and machine learning. For more information on how SentinelOne can help you troll your adversaries, contact us today.