Three separate threat groups are all using a common initial access broker (IAB) to enable their cyberattacks, according to researchers – a finding that has revealed a tangled web of related attack infrastructure underpinning disparate (and in some cases rival) malware campaigns.
The BlackBerry Research & Intelligence Team has found that the ransomware groups known as MountLocker and Phobos, as well as the StrongPity advanced persistent threat (APT), have all partnered with an IAB threat actor that BlackBerry has dubbed Zebra2104.
IABs compromise the networks of various organizations through exploitation, credential-stuffing, phishing or other means, then establish persistent backdoors to maintain access. Then, they sell that access to the highest bidder on various Dark Web forums. These “customers” will then use that access to carry out follow-on attacks, such as espionage campaigns, botnet infections or ransomware hits. According to BlackBerry, the price for such access ranges from as little as $25 to thousands of dollars to enter large corporations.
“This discovery presented a great opportunity for us to understand the attribution of IABs,” the firm noted in
a posting on Friday. “Performing intelligence correlation can help us build a clearer picture of how these disparate threat groups create partnerships and share resources to further enhance their nefarious goals.”
threatpost.com
