This will put a smile on your face: We love hearing stories of bad actors who get their way. That’s great, although not only was a group of hacker wannabes served (literally), many of them infected themselves with malware due to misconfiguring their own hardware.
Cyber security startup Bogard He worked hard at hacking hackers. Using one of the vulnerabilities he discovered, he disrupted malware and ransomware servers, Closure their operators. TechCrunch reports that the company has already taken five command and control (C&C) servers offline, four of which have gone completely dark.
Counter-attacks became possible after the source code of a malware called Mars Stealer was leaked online. Mars Stealer is a malware-as-a-service platform where hackers can rent server time to launch attacks. Once the source code was leaked, hackers started setting up servers independently instead of paying.
Before Buguard got hold of the code, incompetent hackers were already doing a decent job of manipulating their servers themselves due to faulty installation instructions that were leaked along with the code.
Victim records and stolen data were completely open online. According to Morphisec, malware operators who follow flawed instructions have ended up configuration their command and control servers to inadvertently give “Full Access (777)” to the world. In some cases, the potential hacker’s incompetence left “significant assets” exposed.
Then Bogard came and looked at the Mars Stealer source code and found a vulnerability. The researchers developed a vulnerability for the bug that allowed them to hack into command and control servers, including those the operators had configured properly, and take over.
Once in the system, Buguard deleted victim records, stole data, and disconnected infected computers from the command and control server. To make matters worse, the researchers altered the Mars Stealer dashboard passwords so that operators were banned from their systems. Counter-Strikes effectively put five servers out of service as operators had to start over completely from scratch to reconfigure their servers and re-infect their victims. Of the five C&C systems that were discontinued by Buguard, only one is back online.
While it’s great to hear about hackers getting a taste for their medicine, what Buguard did wasn’t exactly legal, turning his white hat to grey. Technically, it is illegal to break into any computer system, regardless of its use, unless you are in law enforcement and have a warrant. The general rule in security research is to search, document, report, but don’t touch.
However, Buguard plans to get the authorities involved and help them take down more servers. In the meantime, it doesn’t publish any details of the vulnerability that is also present in a similar malware called “Erbium,” so the black hats don’t know what to patch.