BlackBerry Uncovers Initial Access Broker Linked to 3 Distinct Hacker Groups

Cyber Security

Products You May Like

A previously undocumented initial access broker has been unmasked as providing entry points to three different threat actors for mounting intrusions that range from financially motivated ransomware attacks to phishing campaigns.

BlackBerry’s research and intelligence team dubbed the entity “Zebra2104,” with the group responsible for offering a means of a digital approach to ransomware syndicates such as MountLocker and Phobos, as well as the advanced persistent threat (APT) tracked under the moniker StrongPity (aka Promethium).

The threat landscape as we know it has been increasingly dominated by a category of players known as the initial access brokers (IABs), who are known to provide other cyber-criminal groups, including ransomware affiliates, with a foothold to an infinite pool of potential organizations belonging to diverse geographies and sectors via persistent backdoors into the victim networks, effectively building a pricing model for remote access.

Automatic GitHub Backups

“IABs typically first gain entry into a victim’s network, then sell that access to the highest bidder on underground forums located in the dark web,” BlackBerry researchers noted in a technical report published last week. “Later, the winning bidder will often deploy ransomware and/or other financially motivated malware within the victim’s organization, depending on the objectives of their campaign.”

An August 2021 analysis of more than 1,000 access listings advertised for sale by IABs in underground forums on the dark web found that the average cost of network access was $5,400 for the period July 2020 to June 2021, with the most valuable offers including domain admin privileges to enterprise systems.

Phishing Campaign

The Canadian cybersecurity company’s investigation began with a domain named “trashborting[.]com” that was found delivering Cobalt Strike Beacons, using it to link the broader infrastructure to a number of malspam campaigns that resulted in the delivery of ransomware payloads, some of which targeted Australian real estate companies and state government departments in September 2020.

Prevent Data Breaches

On top of that, “supercombinating[.]com,” another sister domain registered alongside trashborting[.]com, was discovered connected to malicious MountLocker and Phobos activity, even as the domain resolved to an IP address “91.92.109[.]174,” which, in turn, was also used to host a third domain “mentiononecommon[.]com” between April and November 2020 and put to use as a command-and-control server in a June 2020 campaign associated with StrongPity.

Phishing Campaign

The IAB’s overlaps and wide targeting has also led the researchers to believe that the operator “either has a lot of manpower or they’ve set up some large ‘hidden in plain sight’ traps across the internet,” enabling MountLocker, Phobos and StrongPity to source their access to targeted networks.

“The interlinking web of malicious infrastructure seen throughout this research has shown that, in a manner that mirrors the legitimate business world, cybercrime groups are in some cases run not unlike multinational organizations,” the researchers said. “They create partnerships and alliances to help advance their goals. If anything, it is safe to assume that these threat group ‘business partnerships’ are going to become even more prevalent in future.”

Products You May Like

Articles You May Like

iPhone 16 Pro, iPhone 16 Pro Max Tipped to Offer Up to 40W Fast Wired Charging
Honor Magic V3 With 120Hz OLED Display, Snapdragon 8 Gen 3 SoC Launched in China: Specifications, Price
iPhone 17 May Not Have a Thin Design as Apple Delays Plans to Use Space-Saving RCC Components: Report
Instagram Rolls Out Multi-Audio Track Support for Reels; Allows Users to Add Up to 20 Tracks
U.S. Seizes Domains Used by AI-Powered Russian Bot Farm for Disinformation

Leave a Reply

Your email address will not be published. Required fields are marked *