Nice side story: a hacker who operated in Russian-language forums since 2020 mistakenly infected his computer with malware he used, selling information to security researchers at Hudson Rock. So Hudson Rock staff was able to identify the hacker called La_Citrix and hand the data to law enforcement.
Advertising
According to Darkreading, the hacker, using the alias La_Citrix, operated with credentials from corporate Citrix Remote Desktop Protocol (RDP) VPN servers, which he sold to the highest bidder on Russian-language dark web forums. The hacker used an infostealer to obtain the credentials, and his campaigns could be traced back to 2020.
Then La_Citrix accidentally infected his own computer with the malware. By doing so, he seems to have mistakenly sold his own data along with a collection of stolen data to security researchers from Hudson Rock. The latter tracked activity on the dark web to buy up such threat data.
Hudson Rock is an Israeli cybercrime intelligence company. The company specializes in locating compromised credentials of threat actors, which are then fed into "Cavalier." This is a threat intelligence monitoring and notification product for cybersecurity professionals that informs about compromised credentials of employees, partners and users.
The first indication that something unusual was going on came when Hudson Rock's API discovered a single user in the stolen data. But this one showed up "as an employee" at nearly 300 different companies. That's according to a HudsonRock report.
Upon closer analysis, it turned out that La_Citrix had accidentally infected his own computer with the Infostealer while infecting computers. This probably meant that his own data was sold along with it, without the hacker noticing. The security researchers managed to identify La_Citrix when they looked at other hackers who were infected by info stealers and had access to known cybercrime forums.
Subsequently, the security researchers inspected la_citrix's computer more closely. Surprisingly, it was found that this threat actor controlled all hacking attacks from his personal computer and that the browsers installed on this computer stored the corporate data used for the various hacking attacks.
Advertising
DThe data that could be retrieved from La_Citrix's computer, such as "Installed Software," revealed the hacker's true identity, address, phone number, and other incriminating evidence, such as "qTox," a well-known messenger used by ransomware groups, installed on the computer. Security researchers then shared this data with law enforcement. More details can be read in this HudsonRock report.
Advertising
