Sextortion: Follow the Money - The Final Chapter

Published: 2019-08-05
Last Updated: 2019-08-06 02:40:48 UTC
by Rick Wanner (Version: 2)
0 comment(s)

For the background on this diary please see the previous diaries on Sextortion: Follow the Money: Diary 1, Diary 2, Diary 3

Since the last update in the Sextortion series I have contined to track the bitcoin addresses reported to the ISC.  Altogether 563 BTC addresses have been reported.  90 of those addresses received 497 payments totalling over $785,000 USD. That is an average payment of nearly $1600 USD at current Bitcoin prices. Over $530,000 USD of that value has been moved out of the tracked addresses, leaving about $250,000 USD still sitting in the tracked addresses.

I still believe that the addresses we are tracking are a very small percentage of the overall addresses used in the various sextortion campaigns, but even these addresses received, and moved out a not insignificant amount of value.

As shown in Diary 3,at that point is was possible to track over $40 Million USD of payments being sent into Bitcoin mixers to have the payments laundered for extraction, and that was only a small amount of the value that was in the consolidation addresses.   The rest had not moved out yet, leaving over $100 Million USD behind presumably to be moved out later. 

Unfortunately, shortly after that diary was published, the bad guys got more creative with the way they moved value out of the BTC wallets, breaking the tools I was using to find the consolidation wallets. It appeared as if they were consolidating the value in new addresses, fragmenting the value again, reconsolidating, etc.  in order to make it far more difficult to follow where the value was going.


UPDATE 20190805:  Please ignore the numbers below this update.  I am being told that my methodology was faulty and that some of these are BTC wallets are known valid.  This clearly needs more investigation.  Sorry!

Still I was, with some patience, able to track some of the BTC value to some consolidation wallets, and the dollar values are truly frightening.  Keep in mind that I cannot attribute all of the value in these consolidation BTC addresses to the Sexploitation campaigns, all I can be sure of is that the money from some of the sexplotiation BTC addresses was moved into these addresses, so presumably it belongs to the same criminal enterprise that was running the Sexploitation campaigns. Also, the value is based on the current value of Bitcoin.  With the volativity of Bitcoin the actual value may have been more or less at the time the value was moved out. Some of these consolidation BTC addresses appear to still be in use.  The values in them were changing as I was writing this diary. 

Here are the top 5 consolidation BTC addresses by value that I could find:

Consolidation Address Total BTC Total USD
39id1GfYff4x5r7UEALUjPYVQPGuMj5L1g 61.93172327 $683,881.05
3QR7FADzk6U227eJ3Ud1vxzmh4HNWpnbgp 140.1842615 $1,547,984.71
1DX3MvGTanzcTgnHw8SnorhgpQNHspSWTX 655.84167 $7,242,131.68
179KLpQM8Mse6MmG5gk6JTSokQohiGGrbh 6,437.50 $71,086,105.01
1NDyJtNTjmwk5xPNhjgAMu4HDHigtobu1s 6,229,301.73 $68,787,064,396.14

Like I said a truly frightening number...almost $69 Billion USD! It is important to remember that these consolidation addresses are the ones I was able to find using only our very limited set of tracked Sexploitation BTC addresses, there are very likely many more consolidation addresses in use.

-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - - Twitter:namedeplume (Protected)

0 comment(s)

Scanning for Bluekeep vulnerable RDP instances

Published: 2019-08-05
Last Updated: 2019-08-06 00:29:20 UTC
by Rick Wanner (Version: 1)
0 comment(s)

Since the Microsoft Remote Desktop Protocol (RDP) vulnerability CVE-2019-0708, commonly knows as BlueKeep, was  first announced in May of 2019, the security industry has been holding their breath waiting for the worse case scenario. Scanning for vulnerable RDP instances began almost immediately after the announcement. Since then a number of exploits for BlueKeep have been seen that can crash vulnerable systems, but the anticipated wormable exploit hasn't yet materialized.

Now that both Immunity's Canvas and Rapid7's Metasploit have working exploits in their penetration testing tools you have to believe that it is only a matter of time until the bad guys have one as well.

It would be nice to say that the number of systems running a vulnerable RDP instance has decreased since the vulnerability announcement, but for the IP space I have been tracking I have only seen a decrease of about 10% in vulnerable systems over the last 90 days.

If you are a security administrator and want to find the BlueKeep vulnerable systems on your network, how would you go about it?  For the Bluekeep vulnerability it is relatively easy. With access to a *nix box with the high speed scanner masscan and the rdpscan tool installed along with their dependencies, it is a very easy bash script. 

I called this bash script


#create a date parameter for the various files so scans run on different dates don't overwrite each other.
TDATE=`date +%Y%m%d`
# put your IPs or IP ranges you would like to scan in scan_ips.txt 
# this will be used as the input to masscan
# the output file is rdpips-<DATE>.txt
echo "executing masscan"
/usr/bin/masscan -p3389 -v -iL scan_ips.txt > rdpips-$TDATE.txt
#the output from the masscan will be used as the input to rdpscan
#the output file will be RDP_results-<DATE>.txt
echo "executing rdpscan"
rdpscan --file rdpips-$TDATE.txt > RDP_results-$TDATE.txt


As the comments state, place your IP addresses or ranges to be scanned in the file scan_ips.txt.  This will be used as the input file for this script.  The output will be two files:

* The masscan output file will be rdpips-<DATE>.txt, all IPs found with RDP open on port 3389
* the rdpscan output file will be RDP_results-<DATE>.txt, the rdpscan result showing each detected RDP instance and whether or not rdpscan believes they are vulnerable to BlueKeep

Checking the rdpscan output in RDP_results-<DATE>.txt you will generally find one of 3 results: - SAFE - Target appears patched

or  - VULNERABLE - got appid

there is also an UNKNOWN result, which is usually one of: - UNKNOWN - RDP protocol error - receive timeout - UNKNOWN - no connection - connection closed (RST)

Concentrate on resolving the VULNERABLE results and you will sleep much better when the wormable exploit finally hits.


-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - - Twitter:namedeplume (Protected)

0 comment(s)
ISC Stormcast For Monday, August 5th 2019


Diary Archives