Zebra2104 Initial Access Broker

Researchers at BlackBerry believe they have identified a new threat actor that acts as an initial access broker for a number of hacking groups, including two ransomware gangs and an attacker who does espionage. Dubbed Zebra2104 is the connection between the MountLocker and Phobos ransomware gangs and an espionage related advanced persistent threat group called StrongPity.

Advertisements

It’s visualize how threat actors specialize in various parts of the cybersecurity attack chain. Initial access brokers break into organizations’ IT networks in a variety of ways, then sell that access to the highest bidder on underground forums. Prices range from $25 to thousands of dollars, depending on the perceived value of the target. It’s the winning bidder that actually launches the malware on the victim’s systems.

If you take the behaviours we’ve seen [such as indicators of compromise] you can then realize those are related to a specific threat actor, so if you can protect yourself against the initial access broker … it lets you understand who you are being targeted
Blackberry statement

The search started with the investigation of a domain serving Cobalt Strike Beacons. Cobalt Strike is a legitimate tool used by penetration testers for simulating cyber attacks that is also being used by threat actors. That led researchers to other domains, and a mail server that was pushing out malware campaigns. Two of the domains were involved in phishing campaigns against targets in Australia.

Using publicly available research like Cisco Systems, DFIR, a Microsoft blog, and a Sophos report that mentions indicators of compromise and suspicious domains, as well as a search on the Russian WHOIS internet registry for information about who is behind a domain researchers found a trail of IP addresses that led to three of the threat actors, and infrastructure they seemingly shared.