Nexus Zeta – From Suspicious Alerts to Conviction

Two years ago, we shared the interesting story of Nexus Zeta: How a newbie hacker managed to create a monster botnet. The attacker created an impressive attack chain that comprised of several stages, from leveraging a 0-day vulnerability (CVE-2017-17215) found in the UPnP (Universal Plug and Play) mechanism in Huawei HG532 Home Routers to creating a significant bot infrastructure used for DDoS attacks.

In that publication, we also revealed detailed information about the threat actor known as Nexus Zeta, based on relevant traces found in our analysis. Following our publication, Nexus Zeta was arrested and brought to trial. Last week, news of Nexus Zeta’s sentencing to 13 months in prison was massively covered by the media. This story provides yet another timely lesson on the importance of threat hunting helping to secure the cyber landscape.

Figure 1: Timeline of events.

An Operation of Multiple Layers

Our threat hunting analysis is composed of several layers and is based on various resources, including our sensors worldwide. We perform on-going operations to analyze the threat landscape, conduct deep-dive sessions on vulnerabilities and attacks, and develop multiple layers of security coverage to provide to our customers within a relevant timeframe.

Step 1: Identifying new threats by looking for anomalies in traffic

The first step in our research included analyzing traffic and security alert anomalies to find patterns of activity and attack methods. We detected massive traffic targeting the UPnP port used in Huawei routers, and managed to go deeper to understand the attack vector and its activity.

Figure 2: The widespread Nexus Zeta campaign.

Step 2: Analyzing the threat

The next step was unraveling the attack chain, from the initial infection chain to the botnet activity and capabilities. As attacks are becoming more and more sophisticated, the ability to trace every important phase is crucial. In our case, we analyzed the vulnerable flow of the router’s communication, and researched the downloaded payload and its communication with its C&C server.

Step 3: Understanding the global impact

The third step focused on evaluating the attack impact and mitigation methods. This kind of attack can have severe implications, such as hitting an organization’s infrastructure with a massive DDoS attack, resulting in the shutdown of critical operations and activities.

Step 4: Closing in on the threat actor

The fourth step was contextualizing the campaign to its threat actor. We were able to put together a picture of the attacks’ techniques and motivation, thereby enabling us to fill in the missing pieces of the puzzle. By thoroughly analyzing every piece of associated information, we managed to find a link from the C&C servers to Nexus Zeta’s mail. It turns out Nexus Zeta was an active member of Hack Forums. We discovered his avatar on the forum, and by reviewing his activity on Hack Forums and social media, we were able to discover a lot of information about the attacker’s motivation and activity.

From the sophistication of the campaign, we had expected to find a professional hacker’s team, or even advanced nation state perpetrators behind the attack. However, the reality was different, as the evidence instead disclosed a less professional actor, whose true identity was ultimately revealed by rival hackers two months later using information from our report.

Nexus Zeta turned out to be 20-year-old Kenneth Currin Schuchman from Vancouver, Washington. This was confirmed by Krebs and matched a comprehensive “dox” that someone published on Pastebin in Feb. 2018. The dox said Schuchman used the aliases Nexus Zeta and Caleb Wilson, and listed all of the email addresses tied to Nexus Zeta above, plus his financial data and physical address.

Figure 3: Nexus Zeta’s Twitter account.

Fighting Cyber Crime

Check Point Research provides information on leading cyber threat stories and insights to Check Point customers and the entire security community. We are strongly committed to helping protect against ever-increasing cyber threats to make the cyber landscape more secure. Revealing the details of malicious activity, from the technical perspective to threat actors behind it, is a relevant way of achieving our aims, as seen by the story of Nexus Zeta.