We had the opportunity to have a chat-interview with an actor going by the alias “espe0n” who operates on a well-known darknet forum – XSS.
The conversation provides an exploration of the operational strategies, methodologies, and motivations of a self-identified penetration tester and Initial Access Broker (IAB). Through a candid exchange, espe0n discusses their background, approach to cybersecurity breaches, and collaboration with ransomware groups. The dialogue delves into technical methods of system exploitation, credential harvesting, and persistence techniques, while also shedding light on the operational security measures employed to avoid detection and attribution.
‘espe0n’ shares insights into their preference for targeting LATAM and American organizations, citing weak security practices as a key factor. They emphasize the exploitation of user-related vulnerabilities, such as weak passwords and poor internal security protocols, alongside systemic flaws like outdated software vulnerabilities (e.g., MS17-010). The conversation also reveals their tools, infrastructure choices, and techniques for maintaining access, including the use of custom-developed tools, bulletproof hosting, and advanced evasion tactics.
This interview provides a glimpse into the mindset of a threat actor, offering valuable lessons for organizations aiming to strengthen their cybersecurity defenses. It highlights the importance of robust password policies, multi-factor authentication (MFA), and advanced endpoint detection and response (EDR) solutions in mitigating such threats.
Stay Updated with Our Newsletter
Key Findings:
- Background and Role:
- Espe0n has extensive experience in penetration testing and ransomware operations, working as both an independent pentester and an Initial Access Broker (IAB).
- Previously collaborated with ransomware groups such as RansomHub (formerly Knight ransomware group), and assisted affiliates of Lockbit 3.0 and other ransomware groups.
- Target Selection:
- Focuses on revenue and importance of targets, often targeting LATAM and American entities due to perceived weak security practices.
- Frequently targets construction and government sectors in LATAM.
- Methods of Attack:
- Common vulnerabilities exploited include MS17-010 (EternalBlue), weak or reused passwords, and flaws in internal applications.
- Utilizes mass exploitation of recent CVEs, mass brute-forcing, and in rare cases, phishing.
- Preferred targets for entry include email systems, chat applications, and ticketing systems commonly used by large companies.
- Credential Harvesting and Persistence:
- Employs custom tools developed by associates or sourced publicly for brute-forcing and dictionary attacks.
- Persistence is maintained using C2 servers, rootkits (primarily for Linux), and backdoors, often concealed in overlooked systems like NAS, ESXi, or vCenter shells.
- Operational Security (OpSec):
- Practices rigorous anonymization using Mullvad VPN, Whonix, and communication through translators to mask typing patterns.
- Transactions are conducted using Monero (XMR), later swapped for Bitcoin and mixed for additional obfuscation.
- Evasion Techniques:
- Hides in locations unlikely to be checked during incident response, such as NAS shells, routers, or small systems.
- Utilizes alternative credentials or systems to maintain access if primary entry points are discovered or shut down.
- Collaboration and Tools:
- Works independently but has access to associates for tools like lockers and brute-force applications.
- Prefers bulletproof hosting providers like NiceVPS and Kyun for hosting C2 infrastructure.
- Data Exfiltration:
- Relies on tools like Rclone for data exfiltration, targeting NAS systems or databases accessed during network exploration.
- Perspectives on Security:
- Observes that many vulnerabilities stem from user practices, such as weak or reused passwords and lack of 2FA.
- Advocates for stronger password policies, enhanced EDR solutions, and widespread implementation of 2FA as crucial steps for improving security posture.
- Future Plans:
- Plans to continue working as a pentester/IAB for ransomware groups, indicating willingness to collaborate with other groups as opportunities arise.
- Expressed interest in developing faster and more efficient tools for data exfiltration.
Insights on Ransomware Operations:
- Groups like RansomHub adapt by rebranding after internal disruptions.
- Operators prioritize coders over affiliates as law enforcement targets.
- There is a trend among operators to shift groups when existing ones face significant disruption or scrutiny.
The Interview
Below we have presented the questions and answers without any modification. You may find grammatical errors.
Question: Welcome espe0n, to osint10x, since this is your first interview present yourself to the public explaining what you do and why you decide to work in this sector?
espe0n: i’ve been pentesting for years, and i’ve worked for several ransoware groups. currently i do penstests and get access to resell or do targeted attacks.
Question: We noticed multiple government sector posts being sold on your profile. Is it your primary interest area?
espe0n: not much : ), incredibly these accesses I got by chance, this access in gov.br, was something I was messing around with and I saw that it has a lot of network involved, many sectors, so I decided to sell it to some LATAM pentester or something like that who was interested
I have more entry into LATAM companies and some American ones
Question: Why particularly LATAM and America?
espe0n: most are dumb : ) and have very easy flaws and the network is consequently easier to hack, I know many governments that have networks that have many bad internal security practices
Question: What are the most common security flaw you have witnessed?
espe0n: internal network? ms17-010, passwords that are used everywhere (even in raw systems like proxmox/esxi/vcenter) and usually the most common is to find emails or texts saying the system passwords.
now to access the networks, usually leaked passwords that they don’t change for months or flaws in their own applications that allowed me to escalate the privilege
Question: How do you usually decide your target – revenue/geo/industry? Do you have any rules for selecting targets?
espe0n: I always look at revenue or importance, the groups I worked for always had rules not to attack CIS countries, but I always resold it or made it on my own using my locker.
Question: Do you also have your private ransomware group or you work alone?
espe0n: no, I currently work alone, but I do have some contacts who can arrange lockers for me
Question: What are the common vulnerabilities you have witnessed?
espe0n: generally most failures are not the fault of the system, but of the user, I’ve already gained access to large networks and it was all the fault of the user using the same password for everything or leaving his password too weak
now if it’s network failures, I always target failures where it’s more likely to be large companies, such as email systems – chat – ticket – and others that I would think large companies would use.
Question: If you are comfortable: How long have you been working as a pentester? And, which all ransomware groups did you collaborate with?
espe0n: I’d say 3 years now (as a ransomware operator and pentester). I’ve contributed to groups like ransom hub where I’ve been an affiliate, but I’m not very present in the knight ransomware group (former group before ransom hub was rebooted), and I’ve contributed by helping members of other ransomware, like quilin, lockbit 3.0 and others, but I’ve only helped members, never affiliated with them. ransomgang I’ve helped as an IAB before for some.
Question: Just to confirm, you are saying that RansomHub is the latest version of the knight ransomware group?
espe0n: yes, I started at hub when it was knight ransoware, but there was some internal problem and they changed their name and entire look because of that
probably one of the owners left and they rebuilt the group, leaving the same members.
Question: How do you operate now – as an IAB or ransomware affiliate or member of a ransomware group?
espe0n: both, except that I worked much more as a ransoware operator, but I hunted down my entry points and so on myself.
Question: What are you most preferred method of gaining access to company’s network – stealer logs/exploiting CVEs/phishing attacks/buying access from others?
espe0n: I’ve never purchased access, it’s always been through exploits or weak passwords like bruteforce, phising only in more specific cases when they pay me to get access.
Question: Talking about your network access in LATAM, what sectors are easier to infiltrate?
espe0n: generally the ones I have the most of are the construction ones, and others involving the government itself are the most common for me
Question: You said you function both as an affiliate and an IAB. Which group are you currently working with?
espe0n: I currently do some work for ransomhub.
Question: You probably know what happened between Lockbit and Operation Cronos, are you worried that law enforcement would put always more efforts on takedown groups like yours? You saw some changes/reaction after Operation Cronos?
espe0n: nothing yet, just me taking care of myself is a good thing, I believe the hub owners know how to take care of themselves I hope. I don’t think they’re after simple operators, they’re probably targeting their coders. The feds are probably after the ransomhub programmers, not the affiliates yet.
Question: What are you and your team Ransomhub planning to do next in terms of operation?
espe0n: probably rest and wait for the dust to settle, or join another group when they fall. when they leave, we’ll probably switch groups, as many people did when blackcat left.
Question: Did you work with Blackcat as well?
espe0n: no, I just met friends who worked there.
Question: Lets dive into some technical now. Usually what methods do you employ to gain access to networks or systems?
espe0n: mass exploit (recent exploits) and mass bruteforce on servers such as rdp/vpn.
Question: Can you detail on tools and methodologies you employ for credential harvesting or brute-force attacks?
espe0n: generally there are many tools for this I use one of my own that a friend developed to catch these accesses. via bruteforce. I usually use company-based dictionary attacks, leaks and so on.
Question: How do you assess the potential value or profitability of a compromised network before initiating access attempts?
espe0n: usually not, sometimes it’s all down to luck because with a mass exploit I see the revenue and profit after gaining access.
Question: Once access is obtained, what techniques do you use to maintain persistence within the target system?
espe0n: generally, c2.
espe0n: always c2
Question: So its like deploying rootkits to hide malware from detection tools or Setting up backdoors?
espe0n: yes i use these things to hide besides the c2 agent, i use rootkis only on linux because on windows usually edrs can get it
Question: What measures do you implement to anonymize your activities and prevent attribution? How do you handle opsec while communication and conducting transactions?
espe0n: I always use mullvad and whonix, never type in your English because they might find out by the way you type, I always use translators. About transactions, xmr and then swape for bitcoin and then mixe.
Question: Beyond selling access, do you engage in other activities such as data exfiltration or secondary exploitation?
espe0n: I always use rclone to do this, but in the future I intend to develop a tool to do this more quickly.
Question: What I meant is how do you exfilrate? Exploiting a server and then access to database or something.
espe0n: I do the exfiltration through the NAS (if they have one), I usually get their access password along the way of exploring the internal network.
Question: When a target initiates incident response procedures, what steps do you take to avoid detection or removal? Can you share examples of successful evasion tactics you’ve employed during active incident responses?
espe0n: I usually try to hide in places where they don’t touch it, like the shell on qnap servers because they usually only touch the web interface and not the shell, or the esxi/vcenter shell because they usually think we’re on a worker’s computer or something.
I’ve had a company shut down the entire sector because the edr beeped, but there was no edr on the NAS, so I was able to keep the company logged in for a long time, until it ended up locking down.
Question: An IR checks on everything right. Can you give some more examples? I mean NAS is just one specific scenario.
espe0n: another scenario would be to use other access credentials if the access is via vpn or rdp. stay on routers, small systems, or something like that.
Question: What kind of infrastructure (e.g., servers, proxies, VPNs) do you maintain to support your operations? And do you develop custom tools for your activities, or do you rely on publicly available or purchased malware and exploit kits?
espe0n: I usually buy a few, but most of them I develop or get publicly elsewhere, I keep a vps where my c2 is hosted.
Question: Which VPS do you prefer?
espe0n: i know a friend who tried bullet proof vps, which are private, great for hosting these things.
Question: Can you name some bulletproof hosting (BPH) you have used or are mostly used?
espe0n: nicevps and kyun
Question: Are you in contact with or are planning to collaborate with any other ransomware groups?
espe0n: i plan to work as a pentester/iab for other ransoware groups that’s why i accepted our conversation : )
Question: Based on your experience, how is security implemented within companies network? What should professionals focus on to improve their security posture?
espe0n: I think by setting more password policies, and adding more security measures like more powerful edrs and adding 2fa to everything possible
even knowing that with all this there are still ways to suffer attacks, I would say that this would take a long time to happen.
We appreciate your valuable time, espe0n.
Leave a Reply