A former employee of an Atlanta-based managed service provider (MSP) was arrested in an FBI sting last month for trying to sell access to the company’s cloud servers, according to federal court documents.
Marquavious D. Britt, who worked at the MSP as a server support technician for only seven weeks starting on May 6, 2019, allegedly posted on Torum, a dark web forum, under the handle w0zniak that he had access to his employer’s virtual private servers for sale. His asking price was $600, payable in bitcoin.
The MSP is identified only as Victim-1 in the criminal complaint filed on January 16, 2020. However, a media outlet has identified Victim-1 as Chimera Technologies.
Meanwhile, ConnectWise, Datto and Huntress Labs, each of which provide software to support MSPs, collaborated to locate the MSP after finding Britt’s Torum post. Datto first alerted channel security researchers in late October 2019 to w0zniak’s post through its automated dark web monitoring.
Related - Updated February 18, 2020: Huntress Labs raises $18 million from venture capital firm for MDR push.
MSP Access for Sale: The Background
Chimera, which provides IT support, mobile application development, website development, and software support to its clients, had contracted with Vultr Cloud for cloud storage. According to the FBI affidavit, only one Chimera employee had admin access to the Vultr Cloud panel. However, Chimera was not aware that a second admin account had been opened under Britt’s email on or about May 14, 2019.
In his online post, Britt allegedly wrote that he had “admin access to the hosting panel passwords for each client.” Chimera’s client list includes companies in the legal, accounting, food and pharmaceutical industries. A confidential FBI source responded to the post as a potential buyer and a deal was made for $450 in bitcoin for access to the compromised server.
After the sale, the FBI reviewed the stolen admin account and confirmed that it was Chimera’s. In addition, Coinbase confirmed in response to a subpoena that the wallet provided to the FBI source by w0zniak was registered to Britt. And, Chase Bank provided documents, also under subpoena, that showed a funds transfer from Britt’s PayPal to his bank account in October for approximately the sale amount.
MSP Access for Sale: The Charges
Britt has been charged with two separate counts of computer fraud and released on $15,000 unsecured bond, accused of “intentionally accessing a computer without authorization and exceeding authorization and thereby obtaining information and attempting to obtain information from a protected computer for the purpose of commercial advantage and private financial gain with the value of the information obtained exceeding $5,000.”
An FBI affidavit supporting the complaint was submitted by Jared Sikorski, a special agent specializing in cybersecurity. Documents were filed in U.S. District Court, Northern District of Georgia.