Back in October, Datto identified the threat actor through its routine dark web monitoring practices.
A collaboration between Datto and Huntress Labs targeted a cybercriminal attempting to sell information that could have led to cyberattacks on an MSP and its clients.
The FBI last month arrested that hacker, Marquavious D. Britt, an Augusta, Georgia, resident, for allegedly trying to sell information that would allow hackers to take over an MSP. Britt worked for the MSP until he was terminated for failure to complete tasks assigned to him.
The FBI isn’t commenting. According to the indictment filed in the U.S. District Court for the Northern District of Georgia, Atlanta Division, Britt was charged with one count of computer fraud and abuse and one count of access device fraud.
The MSP is based in Atlanta and provides IT support, mobile application development and software support to its clients.
According to the criminal complaint, Britt “intentionally access[ed] a computer, without authorization and exceeding authorization, and thereby obtained information and attempted to obtain information from a protected computer for the purposes of commercial advantage and private financial gain, with the value of the information obtained exceeding $5,000.”
Back in October, Datto identified a threat actor through its routine dark web monitoring practices. This cybercriminal, known by his Torum handle as “w0zniak,” was seen selling access to an MSP’s VPS control panel on the dark web for $600 in bitcoin.
Kyle Hanslovan, Huntress Labs CEO and co-founder, tells us Datto and Huntress began collaborating last summer during a “bit of an epidemic” with MSPs having all of their clients ransomed at the same time.
“Where we collaborated ended up coming into fruition where it’s a bit of an informal group of vendors, several vendors within the channel as well as other security experts from MSPs themselves collaborating and sharing threat intelligence,” he said. “And the whole goal of it was we as a community are not going to let hackers steamroll us, we’re going to combat this as a team, and that was a very informal idea, and really this was the first time it crystallized in such a remarkable result.”
During its research, Datto discovered all kinds of places on the dark web where people are selling access to exploits and one of those things was “w0zniak” saying “I got into an MSP, they manage roughly 20 different small businesses and I’ll sell you credentials into their cloud management platform for $600,” Hanslovan said.
“That was a big departure from this kind of anonymous hacker,” he said. “You would think of the typical male in a hoodie hacking your network, but this was the first time we see a real-life person behind it, you get somebody communicating about this.”
The Datto team decided that they were going to share that with this threat intelligence sharing group called MSSP Information Security and Awareness (ISAC), Hanslovan said.
“When the Datto team notified the Huntress team that they found this, we decided as a group we were going to take it to the next level and that next level was Huntress actually social engineering that hacker, pretending to be another hacker saying, before we send you any money, they’ve got to give us screenshots showing details about the victim,” he said. “And from those details, we were able to pivot that IP address and the computer names, and we found out who several of the customers were and ultimately figured out who the MSP was without ever having to talk to the hacker again. That was pretty exciting for us, the idea of …