‘I’m Selling Access To An MSP’: How Three Vendors Teamed To Foil Hacking Plot
MSP vendors Datto, Huntress Labs and ConnectWise helped save an MSP's access credentials from being sold on the dark web’s auction block.
A chilling post to an online black-market bulletin board that began “I’m selling access to an MSP…” was spotted by channel security researchers who were then able to catfish the suspect, warn the MSP and work with the FBI, which later arrested him.
“We decided amongst the Datto and Huntress teams that we weren’t going to stand for hackers to come after MSPs,” Huntress CEO Kyle Hanslovan told CRN. “What started out as a simple Torum post -- where hackers sell vulnerabilities, they sell access, they sell stolen credit cards, you name it – we decided to take it a step further.”
Over the course of a few months the hacker known as “w0zniak” had used his jobs as a systems engineer at an MSP and at a tax preparation service to steal account information for businesses and individuals – from the inside -- and then post ads offering to sell that information to the dark web, according to federal court records.
However, a team of security professionals from Huntress Labs, Datto, and ConnectWise helped federal agents track him down before the information he offered could be used to carry out an attack.
“When you work inside of a community that is facing an endemic threat, the best way to build a defense mechanism is through transparency and collaboration, to the extent that its possible,” Datto chief information and security officer Ryan Weeks told CRN. “So we’re hoping to use this as an example of how we can work effectively together to protect the community.”
Marquavious D. Britt, 26, of Augusta, Ga., is charged in U.S. District Court in Atlanta with computer fraud and abuse as well as access device fraud.
Following his initial appearance in court, he was granted a $15,000 unsecured bond, placed on GPS monitoring and home confinement. He was additionally forbidden to use any computer or internet connected device for the duration of his case.
Britt, a former employee of Chimera Technologies, which is affiliated with Chimera Innovations LLC, is accused of attempting to sell credentials that could be used to gain access to the MSP's internal systems via the dark web. Those credentials, in effect, could allow bad actors to access to the customer data being managed and protected by Chimera.
Attempts to reach Britt through his lawyer were unsuccessful. Reached Monday morning, attorney Holly Chapman said she represented Britt at his appearance but is no longer representing him. She said his counsel would likely be assigned by the Northern District court where his case was transferred. No attorney has yet been assigned according to paperwork there.
The U.S. Attorney's Office for Georgia's Northern District had no comment outside of the court filings.
An automated dark-web crawler created by Datto was the first alarm to the post on Torum’s bulletin board.
“I'm selling access to a MSP,” Britt posted under the name "w0zniak," according to federal case files. “They're located in the U.S., eastern side … I have admin access to the hosting panel, passwords for each client is provided and you'll access them through RDP [Remote Desktop Protocol] … 20 in total, notably several law offices, accounting firms, food industry company, and a pharmaceutical company.”
To Hanslovan and Weeks, the message fit perfectly within the roles that they have seen develop in the black market for ransomware in recent years.
“You’ll often see developers who will make the malware, but won’t conduct the attacks,” Hanslovan said. “They’ll be cut in. They’ll be the ones making the ransomware. You’ll then see folks that specialize in getting initial access, and then the common thing is to sell it to a spreader. That’s how that economy works. Everyone adding their additional fee on board.”
Weeks said it appeared “w0zniak” was someone who strictly peddled access to a network, the first of the three roles that assist with carrying out attacks.
“They’re trying to monetize that entry that they’ve gained to another attacker in order to let them finalize the attack chain,” Weeks said. “What would have happened, had we not been able to work to prevent this attack, this initial infection attacker would have sold this access to a ransomware-as-a-service affiliate who would be the one that delivers the ransomware in the MSP environment. They would be working with a ransomware-as-a-service provider in the dark web in order to have access to ransomware to deliver.”
Weeks and his team at Datto knew the stakes were high, yet they were unable to glean any information that would lead them to the MSP or its customers from the post that ‘w0zniak’ had made. Weeks said they decided to bring in reinforcements.
About a month before this, Weeks and Huntress Labs’ VP of ThreatOps John Ferrell had started a loose-knit, online chat group of fellow security professionals from the MSP vendor community, where they could come to swap news about threats.
“We share information as we get it from various different sources, attacks, threat intel sharing,” Weeks said. “Most major RMM members have someone in that community, so it just felt like the right place to share it.”
Weeks said the community is focused on exploring the way attackers do what they do and how to build defensive measures against it. Hanslovan said the group has proven to be aggressive and effective at targeting threats to solution providers.
“It is a get-[expletive]-done community,” Hanslovan said. “You can talk about formalities, or you can just get it done.”
Born out of the startling increase last year in ransomware attacks, many of which were carried out by the software tools that MSPs rely on, Weeks said they found the best time for conversations and collaboration between channel vendors is before an attack happens.
“When an MSP gets attacked, they can literally have a piece of software from every major channel vendor and a bunch of other channel vendors too, so instead of us trying to figure out who to contact and coordinate, and share information, it's just better to have an active community where I already have a contact,” he said. “That community is paying a lot of dividends right now. It’s reducing a lot of friction.”
After w0zniak’s Torum post was shared among a small group of those participants, Hanslovan and Weeks emerged with two goals in mind.
“Either, ‘A’ attribute who is this hacker? Or, ‘B’ at a very bare minimum, see if we can actually discover who was the affected partner. As you can imagine, the affected partner was much more on our minds,” Hanslovan said. “So we said ‘We’re going to try social engineering this hacker.’"
Also known as ‘catfishing’ Hanslovan, using a Torum screenname he had previously established, asked w0zniak to provide the promised screen shots that would show he was not bluffing.
“Can we figure out what this hacker's goal is? More importantly, can we get them to disclose any information that would allow us to determine who the victim was?” Hanslovan said. “After about a day of communicating over encrypted chat, we managed to actually get it. As I was texting this person on an encrypted chat platform, you can’t take screenshots on your phone, because the application notifies the hacker on the other end that we were recording the content. We had to do it the old-fashioned way and use another phone to take a picture of our phone.”
The screenshot had computer names and some IP addresses, Hanslovan said. Using open-source records and the scant information provided, Huntress was able to ferret out the names of two of the MSP's customers: a law firm and a pharmaceutical company. From there security researchers cold-called the customers and asked who provided their IT services, which led them to Chimera, and another problem.
“You can imagine we couldn’t call them up and say, ‘Oh you’re being hacked,’" Hanslovan said. “The goal is to let the MSP know and let them respond appropriately. When we finally did call the MSP, the first response was ‘This sounds fishy. It sounds like a scam. We’re not going to fall for that.’ I don’t fault them for that.”
Hanslovan said during the process of trying to figure out who the MSP was, Huntress discovered that the company was a ConnectWise partner. He said when the MSP was wary of Huntress’ overture to help, Hanslovan contacted ConnectWise's then-CISO, who was also a participant in the MSP security chat community. That was Oct. 9.
According to an affidavit in Britt’s file, the following day a confidential FBI witness contacted “w0zniak” about buying access to the MSP. The FBI said this particular witness has provided “reliable and corroborated information” on “multiple occasions that has resulted in open investigations and identified subjects” for more than two years.” The unnamed witness negotiated the price down to $450 in cryptocurrency.
“After the purchase, the FBI reviewed the account sold to the (witness),” the agent’s affidavit states. “The administrator credentials provided to the CHS were username: ‘mbritt@[VICTIM-1].com’ and password: ‘Quay#7816!’. The FBI confirmed that the stolen administrator account was in fact that of VICTIM-1. Agents also confirmed that 7816 is the last four digits of Britt’s social security number.”
But there was more evidence that tied Britt to the hacker alias ‘w0zniak,’ the FBI said.
“In response to a subpoena, Coinbase confirmed the wallet which was provided to the (witness) by w0zniak was in fact registered to Britt,” the FBI said. “In fact, Coinbase provided the FBI an uploaded scan of Britt’s Florida driver’s license, name, [social security number], email address, home address, and date of birth.”
Additionally, Britt had linked a Chase bank account in his name to the Coinbase account he used to receive payment. The IP address used to access Britt’s Coinbase account is also the same one used by ‘w0zniak’ when he sold MSP access to the cooperating witness. The Coinbase documents match those given to Atlanta-based Chimera when he was given a job there.
“We didn’t send the hackers away forever,” Hanslovan said. “However, with the collaboration, with the right skills, you can make a huge difference. This could have been, maybe not game over, but a hard hit to their ability to operate.”
Britt’s former boss, Chimera Co-owner Raymond Alexander, said it wasn’t Britt’s first attempt at doing something untoward. Prior to this, Britt had been working as Chimera's project manager on a pharmaceutical account and had accessed the customer CEO’s emails, then threatened to expose the information to competitors if he was not paid. The FBI included the July 26 email in court documents.
Additionally, Alexander said Britt also disabled the web hosting account of a food processing customer. Yet, Alexander said he felt as if the young man could be turned around.
“My team was like ‘Look. We need to prosecute. We need to go to the police.’ I was like ‘No. I don’t want the headache. I don’t want the stress,’” Alexander said. “I told him ‘Don’t do it again.’ He was young. I knew he didn’t have any direction. He did not know where he wanted to go. I was young once. I don’t know if I was that foolish, but I was young once and I just wanted him to have an opportunity to do something good. And he didn’t take advantage of it. It is what it is.”
The FBI is also investigating the posts Britt allegedly made as w0zniak early last month, prior to his arrest, in which he said he had access to a “Fortune 500” company that worked in tax preparation.
The Augusta Chronicle newspaper, which was at Britt’s Jan 21 hearing, said he previously worked for TaxSlayer.
An email sent to TaxSlayer seeking comment early Monday morning was not immediately returned.
According to court records, Britt as w0zniak claimed to have collected 16,000 W2s, social security numbers, and bank accounts. He was selling access to checking and savings accounts with between $20,000 and $90,000. In that post, w0zniak offered access to the accounts for between $5,000 and $7,000 in crypto currency. For $20,000 in Bitcoin, he offered all of them.
“What you do with it is your business,” w0zniak wrote. “Serious inquiries only.”