A team of researchers has revealed an uncanny resemblance between the modus operandi of two ransomware groups and an APT who have been using services of a common Initial Access Broker (IAB).
What was found?
The BlackBerry Research & Intelligence team revealed that Zebra2104 provides initial access to ransomware groups MountLocker and Phobos, as well as the StrongPity APT.
- The broker has helped criminals break into the networks of multiple firms in Australia and Turkey.
- The StrongPity APT had targeted Turkish businesses in the healthcare space as well as smaller companies using access from this broker.
- The team of researchers first discovered an unusual single domain that was linked to multiple ransomware attacks and a C2 server connected to the APT group.
- Further analysis revealed that the domain was resolving at IPs provided by the same Bulgarian ASN (Neterra LTD), which was also a compromised network.
How do IABs operate?
Usually, an IAB gains access to a victim’s network via exploiting flaws, phishing emails, and in more ways.
- After gaining the access credentials, they list their access in underground forums, advertising their wares to potential buyers.
- The price for access ranges from around $25 to several thousand.
- Many IAB prices are often based on the annual revenue that the victim organization produces.
- Additionally, IABs often create a bidding system that enables the highest-paying adversaries to deploy malware of their own desire.
Conclusion
The research highlights how cybercriminals are evolving into a real-world enterprise business, where multiple disconnected ransomware groups and APTs are leveraging services of a common IAB. Moreover, experts suspect that such collaborations may become more common in the near future.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_506782117.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_374226598.jpg)
