Researchers at BlackBerry believe they have identified a new threat actor that acts as an initial access broker for a number of hacking groups, including two ransomware gangs and an attacker who does espionage.
In a report released Friday, BlackBerry said a threat actor it dubs Zebra2104 is the connection between the MountLocker and Phobos ransomware gangs and an espionage-related advanced persistent threat group called StrongPity.
The report joins other analyses that show how threat actors specialize in various parts of the cybersecurity attack chain. Initial access brokers break into organizations’ IT networks in a variety of ways, then sell that access to the highest bidder on underground forums. Prices range from $25 to thousands of dollars, depending on the perceived value of the target. It’s the winning bidder that actually launches the malware on the victim’s systems.
The story of BlackBerry’s discovery of Zebra2104 will be of interest to threat intelligence investigators; performing intelligence correlation can help researchers build a clearer picture of how seemingly disparate groups create partnerships and share resources, BlackBerry notes.
“If you take the behaviours we’ve seen [such as indicators of compromise] you can then realize those are related to a specific threat actor, so if you can protect yourself against the initial access broker … it lets you understand who you are being targeted by,” Jim Simpson, BlackBerry’s director of threat intelligence, said in an interview.
Stopping one initial access broker might stop a hundred attacks from advancing, added Eric Milam, BlackBerry’s vice-president of threat intelligence.
The search started with the investigation of a domain serving Cobalt Strike Beacons. Cobalt Strike is a legitimate tool used by penetration testers for simulating cyber attacks that is also being used by threat actors. That led researchers to other domains, and a mail server that was pushing out malware campaigns. Two of the domains were involved in phishing campaigns against targets in Australia.
Using publicly-available research — for example, from Cisco Systems, DFIR, a Microsoft blog, and a Sophos report that mentions indicators of compromise and suspicious domains, as well as a search on the Russian WHOIS internet registry for information about who is behind a domain — researchers found a trail of IP addresses that led to three of the threat actors, and infrastructure they seemingly shared.
What BlackBerry concluded, however, is that there was a fourth player, which it calls Zebra2104, which is either an initial access broker or provides infrastructure-as-a-service to threat groups.
BlackBerry said working like this proves the value of open-source intelligence to threat hunters.
It is only by the tracking, documenting and sharing of threat intelligence that the cyber security community can monitor and defend against threat groups, says the report. “If the bad guys work together,” it adds, “so should we.”