news interview

SecurityTrails Blog · Mar 26 · SecurityTrails team

No Incident Unnoticed: Interview with Troy Mursch from Bad Packets Report

In 2017 we saw the rise of cryptojacking and botnet activity. Even through 2018, it showed no signs of stopping. Notably, we saw plenty of unique cryptojacking campaigns that targeted vulnerable MikroTik routers and Drupal websites, as well as other types of botnets that were Mirai-like aberrations.

A few days ago we were hit with the news that Coinhive, a cryptomining service listed by many security companies as a top threat for Internet users, was shutting down. If you’ve been following this saga, chances are slim that you have not heard about Troy Mursch. He’s been closely following and reporting on cases of websites that have been hacked and injected with the Coinhive crypto mining code.

Bad Packets logo

Whether you’ve heard him talking about new cryptojacking campaigns, reporting on botnet trends or noticed some of his tweets on infosec incidents that he shares via the Bad Packets Report Twitter account, you probably recognize Troy Mursch as a prominent individual in the infosec community.


SecurityTrails: Let’s kick this off with a fun fact: you’ve been living in Vegas for some time now and last year was your first DEFCON! How come you’ve never attended before?

Troy Mursch: I was born in Fairbanks, Alaska and moved to Las Vegas in 2002 to attend UNLV [University of Nevada, Las Vegas]. After I graduated, I decided to stay and make my home here. Regarding DEFCON, I’m actually new to the infosec field. My background is largely in IT operations. I’ve worked for the corporate sector and for the University, which is more in the public sector, and with the skills and tools that I’ve used over the years, I was able to make a career change in early 2017 to pivot to the cybersecurity realm.

In 2017 I suffered an accident that, unfortunately, left me unable to use my right arm until I was able to have arthroscopic surgery to repair the damage. In that time, I knew I wasn’t able to go back to my former job. I was looking for a new opportunity and infosec fell into my lap with the research I was doing monitoring botnets and other types of network abuse. So DEFCON was a new adventure for me and it was my first time attending. It was a great experience since I was able to meet the people who inspire my work. It was also good to network with other security professionals who have been working in the industry for quite some time.


What did you study here at UNLV?

Troy: My BS degree was in management of information systems and it went hand-in-hand with my passion for anything related to information technology. I did take some cybersecurity courses, but at the time I didn’t really choose cybersecurity and infosec as a career.Again, there is a lot of crossover between the two. With the degree that I earned, I was able to work, as I mentioned, for large organizations in the corporate and public sector. My last position was actually at UNLV as an IT Operations Analyst, and from there I started my transition to the current position.


Troy Mursch

Bad Packets is a young company, and you also made the transition to infosec not long before that. Tell us, what is at the core of such quick success?

Troy: It’s no secret that a big tool in the core of our success is Splunk. At the basic level, it’s a log aggregation tool. But it’s actually much more than that once you are able to extract actionable information. Everybody has tons of data and logs but where is the value? You need to be able to, and as cliché as it sounds, find the needle in the haystack and extract the pertinent information.

At Bad Packets, we track emerging threats and in that regard we need to get that knowledge quickly, analyze it and then apply it. In the case of Cisco routers, we needed to quickly analyze what’s being targeted and determine the goal of this activity. In that specific case, we found that they were actually looking to steal information about the devices and compromise them so they can be used as a botnet. The tools we’ve built in tandem with Splunk have enabled us to really be at the forefront of finding these emerging threats.


What attracted you to malware analysis and working with network abuse in the first place? How did all of this start?

Troy: The first case that really piqued my interest was tracking Mirai-like botnets and the second was identifying bulletproof hosting providers. Our research on these topics has allowed us to build a long-lasting relationship with the academic research community and members of law enforcement. However, what really drove me down this path was a large breach of medical records I discovered after my injury in 2017. This exposed my own personal medical records, which was upsetting. Luckily, the issue was fixed within one business day after the incident was disclosed by Brian Krebs.


You’re often in a position to share your findings and reports with a wider audience, basically making the Internet a better place for everyone. What is the best thing about doing this with Bad Packets Report?

Troy: One of the best experiences I have is working with law enforcement. We are happy to share our findings with federal law enforcement and CERT teams around the world. What we like to see is action being taken. There are cases of “bulletproof” hosting providers that are in the business of not taking action. They allow their customers and clients to basically abuse their infrastructure for DDoS attacks, aggressive scanning, and they are not taking action against it.

When we discover a vulnerability that is obviously going to be or is already exploited, we like to see action. Back in December of last year we detected opportunistic scanning for very specific DSL routers that were used by nearly 20,000 devices, and these devices were leaking sensitive information. We discovered this on Christmas Eve, which is the time when this type of malicious activity is most prominent because they know it’s not going to be resolved until the next business day. So when we discovered this activity, we notified Orange’s [the provider whose devices were compromised] CERT team and within three days the majority of the devices were patched. In this case, it was awesome to see that the relevant party immediately took action to mitigate devices and patch them. We love to see service providers that are responsive and take appropriate action quickly.


What would you say is the biggest mistake somebody can make when starting their own company and becoming an entrepreneur?

Troy: The biggest mistake you can make when starting a company is thinking you can go it alone. The growth of Bad Packets LLC has only been possible with the help of my business partner Mat Woodyard. His knowledge and expertise has allowed us to rapidly scale our threat intelligence footprint on a global scale. The synergy we’ve generated by collaborating with established cybersecurity organizations also has been vital to our success.


Did you earn any certifications that have helped you in this role?

Troy: No, but I don’t want to speak for any side of the debate now in the industry about certifications, and them being a requirement. I agree with the side that thinks these certifications are important, but also with the other side, as I’m not eligible to get the CISSP being a newbie myself. If you don’t have those certifications, I don’t believe that should disqualify you for certain positions, and I would like to bring more people into the industry.

We shouldn’t put up this barrier for people who can’t fulfill these requirements. I do see the value and knowledge in taking these tests and getting the certifications, but I don’t want to see these certifications being set as a strict requirement.


You specialize in cryptojacking and botnets. What are some of the most interesting incidents you’ve reported on?

2018 Mirai-like malware infections

Troy: One case that I always like to reference is the one that started all of this.

Back in September 2017, I found that the official website of Showtime networks was pushing Coinhive onto its users. They never gave a statement about how it got there, but it was removed as soon as I published my findings. We always like to notify the “victim” that they have been compromised and that there is a malicious code on their site. Unfortunately we didn’t hear back from Showtime, but it was good to see that they resolved it.

Over the last two years we saw many crazy incidents of cryptojacking. One involved the website Politifact, a large website for fact-checking politicians. They were compromised and they put out a statement that their Amazon S3 bucket was compromised, but it was removed as soon as they found out.

Last year it was disclosed that Drupal websites, used by many government and educational institutions, had a critical vulnerability named Drupalgeddon 2. We saw mass exploit activity to exploit those Drupal websites. The websites of Lenovo, LA Times, a professional football team in Mexico, UCLA, the San Diego Zoo and even a U.S. federal government agency were compromised.


Las Vegas sign Las Vegas facts


Number of startups: 114
Number of security conferences 2019: 20
Popular security conferences:
· DEFCON — A true hacking party
· BlackHat USA — Corporate side of cybersecurity
· BSidesLV — Low-key version of BlackHat

OSINT is maturing and we’re seeing a lot of great tools emerging. What’s the most underrated OSINT project you came across?

Troy: My favorite OSINT tool right now is urlscan.io. This service has been invaluable for tracking cryptojacking campaigns, detecting Magecart infections, locating phishing sites and even scanning malware directly. I really like that they’ve integrated with numerous security vendors, making it even easier to quickly analyze the latest IoCs. They also provide the historical records of all the scans completed. This is very useful for establishing a timeline of events when you’re investigating an incident affecting multiple websites.


What are the main differences you’ve noticed between the Mirai-like botnets a few years back and where we are now?

Mirai-like detections in the last year

Troy: IoT devices, IP cameras, home routers and the like, all get compromised again and again. It’s not so much about the type of devices that are getting compromised, but rather how they’re used. That is also something that remains largely the same, but right now it’s becoming more geared towards conducting DDoS attacks—and that type of activity is, going back to the original Mirai, very damaging. It results in extended periods of downtime which can incur huge financial losses.

We’re also seeing a “new” type of activity for how these botnets are used, and that’s mining for cryptocurrency. Due to a decline in the price of cryptocurrencies, such as Bitcoin and Monero, that activity has actually started to decrease. These devices are also used as open proxies. Meaning, once hackers get hold of these devices, typically en masse since these exploits are done on hundreds of thousands of devices at a time, they resell the access to other cybercriminals. As we’ve seen in recent cases involving compromised MikroTik routers.


What can the industry expect from malware and cryptojacking evolution in the future?

Troy: I do see, hopefully, that in the next two years it won’t have this high level of activity. This is all driven by an incentive to engage in that type of behavior so, as we said, cryptocurrency saw a huge explosion towards the end of 2017 and early 2018. However, as I mentioned, the price has dropped dramatically since then, so I don’t see that trend coming back in the short term.

In the long term, cryptocurrency and blockchain technology is not going away, as there are good use cases for that type of technology. For example as a monetization method: I donate my CPU, and I would get some service such as Netflix in exchange. I can see some potential of that coming back, but in regards to what we saw in 2017 and 2018 and the high level of malicious activity related to cryptojacking, I don’t see it coming back in the short term.


Troy Mursch

We’ve just heard about Coinhive shutting down. What do you think this means for crypto mining/cryptojacking? Will anything change?

Troy: I think the biggest factor with Coinhive’s decision to go out of business, was the price of Monero dropping to very low levels along with every other cryptocurrency. In the “gold rush days” of cryptojacking, Monero peaked at around $400 and current prices are about $40 per Monero. There were legit and actually good examples of using Coinhive, like what we saw at UNICEF in Australia, where they set up a page where people could opt-in to the service to have their devices mine cryptocurrency for charity. But in practice, we found Coinhive’s services being abused by hackers over and over for malicious gain.

Due to the price of Monero falling, there was no longer any incentive to use their services, whether for good or bad reasons, and that, accompanied with Coinhive taking the largest cut compared to anyone in the industry (they took 30% of all the Monero being mined through their platform), led their users to look for other monetization methods.


Mirai-like botnets


Latest devices infected:
Smart TVs, Home Routers, IP Security Cameras, IoT/ICS Devices.

Total population of infections:
Around 100,000

How long does it take to infect a device with Mirai-like malware?
Less than 5 minutes

How large are the DDoS attacks caused by Mirai-like botnets?
In the past three months it has been 37.6 Gbps

What’s next for you and Bad Packets Report?

Troy: What’s next for us is releasing the commercial offering of our threat intelligence platform. We’ve been developing our network of automated honeypots to continuously scale our threat intelligence footprint. We’re almost at the point where we’re ready to open the doors and provide our data and services to a wider audience.


Right now you’re in the works of expanding your team and looking for new collaborations. What can people expect from this?

Troy: Yes, we’re always looking to grow our team and collaborate with other security researchers and cybersecurity organizations. In the academic realm, we’re currently working with Lancaster University in the UK. We also frequently share our data with law enforcement and government CERT teams around the world.

We’ve discovered when we share our data with these organizations it’s often reciprocal, meaning they share their data with us. When we collaborate and enrich each other’s threat intelligence data, that is when the real magic happens.

If you are interested in finding out the latest research on botnets, network abuse, and other information security topics — follow Bad Packets Report on Twitter or check out their website for a deeper dive into infosec incidents!


Stay tuned for new additions to our interview series with successful and prominent people from our industry and learn something new. Ortell us who you would like to see on our blog the next time around.

Check out our blog for more first-hand information from the infosec world and sign up for an account to tap into a treasure-trove of cyber security gold!