Jonathan Greig
| November 5, 2021
| Topic: Security
A new report from BlackBerry has uncovered an initial access broker called “Zebra2104” that has connections to three malicious cybercriminal groups, some of which are involved in ransomware and phishing.
Their research began in April 2021, when they discovered curious behavior from domains that were identified previously in a Microsoft report on servers that “had been serving malspam that resulted in varying ransomware payloads, such as Dridex, which we were able to corroborate.”
A few of the domains had been involved in a phishing campaign that went after state government departments in Australia as well as real estate companies there in September 2020. With the help of other Microsoft reports, the researchers were able to trace the campaigns further to an indicator of compromise of a MountLocker intrusion.
“Sophos has supposed that the MountLocker group has links to, or has in fact become, the recently emerged AstroLocker group. This is because one of the group’s ransomware binaries has been linked to a support site of AstroLocker. It’s possible that this group is trying to shed any notoriety or baggage that it had garnered through its previous malicious activities,” the report added after explaining a number of technical links between the two groups.
The BlackBerry Research & Intelligence team then used WHOIS registrant information and other data that led them to discover ties between the Phobos ransomware and MountLocker.
“This new information presented a bit of a conundrum. If MountLocker owned the infrastructure, then there would be a slim chance of another ransomware operator also working from it (although it has happened before). In several instances, a delay was observed between an initial compromise using Cobalt Strike and further ransomware being deployed. Based on these factors, we can infer that the infrastructure is not that of StrongPity, MountLocker, or Phobos, but of a fourth group that has facilitated the operations of the former three. This is either done by providing initial access, or by providing Infrastructure as a Service (IaaS),” the report said.
“An IAB performs the first step in the kill chain of many attacks; this is to say they gain access into a victims’ network through exploitation, phishing, or other means. Once they have established a foothold (i.e., a reliable backdoor into the victim network) they then list their access in underground forums on the dark web, advertising their wares in the hopes of finding a prospective buyer. The price for access ranges from as little as $25, going up to thousands of dollars.”
Many IABs base their price on the annual revenue that the victim organization generates, creating a bidding system that allows any group to deploy whatever they want.
BlackBerry
“This can be anything from ransomware to infostealers, and everything in between. We believe that our three threat actors — MountLocker, Phobos and StrongPity, in this instance – sourced their access through these means,” The BlackBerry Research & Intelligence team explained.
The report notes that the domains resolved to IPs that were provided by the same Bulgarian ASN, Neterra LTD. While they wondered whether the access broker was based in Bulgaria, they surmised that the company was simply being taken advantage of.
The researchers said the “interlinking web of malicious infrastructure” described throughout the report showed that cybercriminal groups mirrored the business world in that they are run like multinational enterprises.
“They create partnerships and alliances to help advance their nefarious goals. If anything, it is safe to assume that these ‘business partnerships’ are going to become even more prevalent in future,” the researchers said.
“To counter this, it is only via the tracking, documenting, and sharing of intelligence in relation to these groups (and many more) that the wider security community can monitor and defend against them. This cooperation will continue to further our collective understanding of how cybercriminals operate. If the bad guys work together, so should we!”
Security
The best phishing target? Your smartphone
Why you need this $29 security key
FBI: Ransomware groups tying attacks to ‘significant financial events’
Signal reveals how far US law enforcement will go to get people’s info
The 10 worst hardware security flaws in 2021
Cybersecurity 101: Protect your privacy from hackers, spies, the government
Blackberry
|
Security TV
|
Data Management
|
CXO
|
Data Centers