Sunday, September 25, 2022
Home Tech News How BlackBerry found an initial access broker supporting threat groups

How BlackBerry found an initial access broker supporting threat groups

Researchers at BlackBerry believe they have identified a new threat actor that acts as an initial access broker for a number of hacking groups, including two ransomware gangs and an attacker who does espionage.

In a report released Friday, BlackBerry said a threat actor it dubs Zebra2104 is the connection between the MountLocker and Phobos ransomware gangs and an espionage-related advanced persistent threat group called StrongPity.

The report joins other analyses that show how threat actors specialize in various parts of the cybersecurity attack chain. Initial access brokers break into organizations’ IT networks in a variety of ways, then sell that access to the highest bidder on underground forums. Prices range from $25 to thousands of dollars, depending on the perceived value of the target. It’s the winning bidder that actually launches the malware on the victim’s systems.

The story of BlackBerry’s discovery of Zebra2104 will be of interest to threat intelligence investigators; performing intelligence correlation can help researchers build a clearer picture of how seemingly disparate groups create partnerships and share resources, BlackBerry notes.

“If you take the behaviours we’ve seen [such as indicators of compromise] you can then realize those are related to a specific threat actor, so if you can protect yourself against the initial access broker … it lets you understand who you are being targeted by,” Jim Simpson, BlackBerry’s director of threat intelligence, said in an interview.

Stopping one initial access broker might stop a hundred attacks from advancing, added Eric Milam, BlacxBerry’s vice-president of threat intelligence.

The search started with the investigation of a domain serving Cobalt Strike Beacons. Cobalt Strike is a legitimate tool used by penetration testers for simulating cyber attacks that is also being used by threat actors. That led researchers to other domains, and a mail server that was pushing out malware campaigns. Two of the domains were involved in phishing campaigns against targets in Australia.

Using publicly-available research — for example, from Cisco Systems, DFIR, a Microsoft blog, and a Sophos report that mentions indicators of compromise and suspicious domains, as well as a search on the Russian WHOIS internet registry for information about who is behind a domain — researchers found a trail of IP addresses that led to three of the threat actors, and infrastructure they seemingly shared.

What BlackBerry concluded, however, is that there was a fourth player, which it calls Zebra2104, which is either an initial access broker or provides infrastructure-as-a-service to threat groups.

BlackBerry said working like this proves the value of open-source intelligence to threat hunters.

It is only by the tracking, documenting and sharing of threat intelligence that the cyber security community can monitor and defend against threat groups, says the report. “If the bad guys work together,” it adds, “so should we.”

- Advertisment -

Most Popular

Brock Boeser refocused on hockey as Vancouver Canucks kick off training camp

Brock Boeser believes this is his year. The Vancouver Canucks right-winger struggled at times last season while dealing with the declining health of his father,...

From 3D glasses to her first broadcast, Queen Elizabeth and technology throughout the years

It’s been 96 years of innovation (Picture: Getty Images/PA)From 3D speeches and Paddington Bear sketches to her first tweet and passion for photography, here’s...

T-Mobile adds domestic United flights to its free in-flight Wi-Fi roster

/ United joins Alaska and Delta on T-Mobile’s list of airlines with in-flight Wi-Fi included in Magenta and Magenta Max planT-Mobile continues adding...

Shattered Dreams and Bills in the Millions: Losing a Baby in America

The day after his 8-month-old baby died, Kingsley Raspe opened the mail and found he had been sent to collections for her care. That notice...