Tuesday, January 25, 2022

How BlackBerry found an initial access broker supporting threat groups

Researchers at BlackBerry believe they have identified a new threat actor that acts as an initial access broker for a number of hacking groups, including two ransomware gangs and an attacker who does espionage.

In a report released Friday, BlackBerry said a threat actor it dubs Zebra2104 is the connection between the MountLocker and Phobos ransomware gangs and an espionage-related advanced persistent threat group called StrongPity.

The report joins other analyses that show how threat actors specialize in various parts of the cybersecurity attack chain. Initial access brokers break into organizations’ IT networks in a variety of ways, then sell that access to the highest bidder on underground forums. Prices range from $25 to thousands of dollars, depending on the perceived value of the target. It’s the winning bidder that actually launches the malware on the victim’s systems.

The story of BlackBerry’s discovery of Zebra2104 will be of interest to threat intelligence investigators; performing intelligence correlation can help researchers build a clearer picture of how seemingly disparate groups create partnerships and share resources, BlackBerry notes.

“If you take the behaviours we’ve seen [such as indicators of compromise] you can then realize those are related to a specific threat actor, so if you can protect yourself against the initial access broker … it lets you understand who you are being targeted by,” Jim Simpson, BlackBerry’s director of threat intelligence, said in an interview.

Stopping one initial access broker might stop a hundred attacks from advancing, added Eric Milam, BlackBerry’s vice-president of threat intelligence.

The search started with the investigation of a domain serving Cobalt Strike Beacons. Cobalt Strike is a legitimate tool used by penetration testers for simulating cyber attacks that is also being used by threat actors. That led researchers to other domains, and a mail server that was pushing out malware campaigns. Two of the domains were involved in phishing campaigns against targets in Australia.

Using publicly-available research — for example, from Cisco Systems, DFIR, a Microsoft blog, and a Sophos report that mentions indicators of compromise and suspicious domains, as well as a search on the Russian WHOIS internet registry for information about who is behind a domain — researchers found a trail of IP addresses that led to three of the threat actors, and infrastructure they seemingly shared.

What BlackBerry concluded, however, is that there was a fourth player, which it calls Zebra2104, which is either an initial access broker or provides infrastructure-as-a-service to threat groups.

BlackBerry said working like this proves the value of open-source intelligence to threat hunters.

It is only by the tracking, documenting and sharing of threat intelligence that the cyber security community can monitor and defend against threat groups, says the report. “If the bad guys work together,” it adds, “so should we.”

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication. Click this link to send me a note →

Jim Love, Chief Content Officer, IT World Canada
Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

After being all-digital last year, the Consumer Electronics Show is back in Las Vegas for 2022. Find all the latest news and announcements from the showroom floor at CES 2022.

Related Tech News