An Incidental Encounter with a Threat Actor

As a healthy exercise in reconnaissance and utilizing an OSINT methodology, I found my guy, or entity, or account behind a shady email and penetration testing proposal. As a penetration tester, 100% is the number that we shoot for when delivering our results to a client but in this case I’m only 99.9% sure that I’ve found the perp who is responsible in this scenario. The entity claims to be a “Noob Security Engineer” according to the bio attached to it’s Twitter account, an application security tester according to articles posted on it’s Medium account and as sure as poo-poo stinks, an “application security engineer” for the domain it represented in the email according to it’s profile on LinkedIn. In fact, I am so confident that this is the threat actor behind the email that I’d be willing to write up a report and submit it to the proper authorities, knowing all the while that if the deliverables presented in my report are wrong, that my report could end up being an RPE.

Now I’m definitely not sure if “RPE” is official industry jargon but I learned it in the NOC center from a senior engineer who was my supervisor at the time. If it’s not official, I’ll tell you here that it stands for Resume Producing Event. Meaning, if I’m incorrect about the deliverables of my reconnaissance then my entire reputation as a penetration tester, slash (/) aspiring Red Teamer, will be just as suspect as the entity who sent the shady pen test proposal. I’ll first start with context to better establish how this encounter occurred and more importantly, why the entity is being labeled as a threat actor in this scenario.

Hey, #infosec #red team #pentest Fam…

Please tell me I’m not wrong at all for feeling sus about this??

I could be overthinking this but it reeks of “better have a get-out-of-jail” free card before even running whois 🤣🤣🤣(intentionally being extra sarcastic about whois btw) pic.twitter.com/L1stLRiMJD

— Quintius Walker (@The_StarHack3r) January 14, 2022

In a nutshell, I’d reached out to an entity who was representing a company accepting applications for app sec and penetration testing internships. The entity replied and stated that I had not been selected for the internship, however, to showcase my skills I would be granted an opportunity to perform a penetration test on the company’s domain and additionally “all” of its subdomains. Furthermore, if I agreed to the engagement then I would have approximately 24 hours to perform the penetration test and reply back in an email with my report. I recognized this activity to be abnormal and I shared this with the InfoSec community Twitter to ask if this request also struck them as unusual.

Meaning, if I’m incorrect about the deliverables of my reconnaissance then my entire reputation as a penetration tester, slash (/) aspiring Red Teamer, will be just as suspect as the entity who sent the shady pen test proposal.

At this point it should be clear why the entity is being labeled as a threat actor. To make matters even worse, this is an “internal” threat actor. This is an entity representing a company and sending out shady penetration testing proposals to random people on the internet. An act of such magnitude that here in America, considering the circumstances, would more than likely constitute an RPE for this poor decision making employee.

From a penetration testing perspective, there are processes and methodologies that must be followed before any engagement can be conducted. Any deviation can bring about very disastrous results for both the tester carrying out the engagement and the client. Rule number one is to never perform penetration testing activities on assets that you have not been granted express permission to by an authorizing party. And no testing shall begin until the terms have been put into writing, signed, and agreed to. In our profession this is commonly referred to as your “get out of jail free card“.

Here’s an excellent video done by Meghan Jacquot where she shines additional light on the issue and covers Job Seeker Scams in general and things that InfoSec candidates should watch for.

Also here’s a quick message from Ochaun Marshall who is a Dev and Security Consultant with Secure Ideas sharing some InfoSec wisdom on the subject.

I hope this article has been a source of enlightenment to you on your info/cybersec journey. Until next time…Hack On, Ladz and Gentz!

I think this thread warrants a video. Let me share with you some #infosec wisdom.

Don’t pentest without the scope being predefined first.

No engagement is worth picking up a charge. https://t.co/4T9yKxHEjn pic.twitter.com/WpC5rPJOKK

— Ochaun Marshall only gets his life together in Jan (@OchaunM) January 16, 2022