www.zdnet.com
Open in
urlscan Pro
2a04:4e42:4d::666
Public Scan
URL:
https://www.zdnet.com/article/blackberry-report-highlights-initial-access-broker-providing-entry-to-strongpity-apt-mou...
Submission: On November 14 via api from GB — Scanned from GB
Submission: On November 14 via api from GB — Scanned from GB
Form analysis 4 forms found in the DOM
GET https://www.zdnet.com/search/
<form class="headerSearch active" method="get" action="https://www.zdnet.com/search/">
<div class="box">
<label for="search-field" class="hidden">What are you looking for?</label>
<input type="search" id="search-field" title="query" autocomplete="off" placeholder="What are you looking for?" tabindex="1" name="q" value="" class="search-expand smart-search-input">
<button type="submit" class="search-button" data-omniture-track="moduleClick" data-omniture-track-data="{"moduleInfo": "Header-Search", "pageType": "article"}">
<svg class=" mag-red">
<use xlink:href="#mag-red"></use>
</svg>
<span class="search-go">Go</span>
</button>
</div>
</form>GET https://www.zdnet.com/search/
<form class="headerSearch active" method="get" action="https://www.zdnet.com/search/">
<div class="box">
<label for="search-field" class="hidden">What are you looking for?</label>
<input type="search" id="search-field" title="query" autocomplete="off" placeholder="What are you looking for?" tabindex="1" name="q" value="" class="search-expand smart-search-input">
<button type="submit" class="search-button" data-omniture-track="moduleClick" data-omniture-track-data="{"moduleInfo": "Header-Search", "pageType": "article"}">
<svg class=" mag-red">
<use xlink:href="#mag-red"></use>
</svg>
<span class="search-go">Go</span>
</button>
</div>
</form><form class="modal fixed show">
<div class="_start active">
<div class="info">
<p class="description">Please review our terms of service to complete your newsletter subscription.</p>
</div>
<label class="terms all-tos">
<input type="checkbox" name="user[tos]" required="required" value="1">
<span class="checkbox"></span>
<span class="terms-of-service">
<p> You agree to receive updates, promotions, and alerts from ZDNet.com. You may unsubscribe at any time. By joining ZDNet, you agree to our
<a href="https://redventures.com/CMG-terms-of-use.html" target="_blank" rel="noopener noreferrer nofollow" data-component="externalLink">Terms of Use</a> and
<a href="https://redventures.com/privacy-policy.html" target="_blank" rel="noopener noreferrer nofollow" data-component="externalLink">Privacy Policy</a>. </p>
</span>
</label>
<label class="terms gdpr-tos">
<input type="checkbox" name="user[firstPartyOptIn]" value="1">
<span class="checkbox"></span>
<span class="terms-of-service">
<p> You agree to receive updates, promotions, and alerts from ZDNet.com. You may unsubscribe at any time. By signing up, you agree to receive the selected newsletter(s) which you may unsubscribe from at any time. You also agree to the
<a href="https://redventures.com/CMG-terms-of-use.html" target="_blank" rel="noopener noreferrer nofollow" data-component="externalLink">Terms of Use</a> and acknowledge the data collection and usage practices outlined in our
<a href="https://redventures.com/privacy-policy.html" target="_blank" rel="noopener noreferrer nofollow" data-component="externalLink">Privacy Policy</a>. </p>
</span>
</label>
<button>Continue</button>
<div class="alert-error">
<div class="required-error">
<div class="warning-label"></div>
</div>
</div>
</div>
</form>Name: newsletterWidgetForm-1435 — POST https://www.zdnet.com/newsletter/xhr/widget-register/
<form class="newsletterWidgetForm" id="newsletterWidgetForm-1435" name="newsletterWidgetForm-1435" action="https://www.zdnet.com/newsletter/xhr/widget-register/" data-user-submit="newsletterWidgetForm" method="POST">
<input type="hidden" id="authentication_csrf" name="csrf" value="lbQGBhussF6GNZR_Q8I1UfmyoMpqZn_xMR_cS4ofyX4">
<input type="hidden" id="newsletter_registration_form_newsletter" name="newsletter_registration_form[newsletter]" required="required" value="e566">
<div class="mmode mmode-nls">
<label class="checkbox">
<b>ZDNet Security</b> Your weekly update on security around the globe, featuring research, threats, and more. </label>
<label class="hidden required" for="newsletter_registration_form_email">Email Address</label>
<input type="email" id="newsletter_registration_form_email" name="newsletter_registration_form[email]" required="required" data-validate="email" placeholder="Your email address">
<button type="submit" id="newsletter_registration_form_submit" name="newsletter_registration_form[submit]" class="btn btn-primary">Subscribe</button>
</div>
</form>Text Content
Search
What are you looking for? Go
* CXO
* Hardware
* Microsoft
* Storage
* Innovation
* Apple
* Security
* more
* Networking
* Data Centers
* Art of the Hybrid Cloud
* Mobility
* See All Topics
* Downloads
* Reviews
* Galleries
* Videos
* Edition: UK
* Asia
* Australia
* Europe
* India
* United Kingdom
* United States
*
* ZDNet around the globe:
* ZDNet France
* ZDNet Germany
* ZDNet Korea
* ZDNet Japan
* Newsletters
* All Writers
* * Preferences
* Community
* Newsletters
* Log Out
*
* * What are you looking for? Go
* Menu
* CXO
* Hardware
* Microsoft
* Storage
* Innovation
* Apple
* Security
* Networking
* Data Centers
* Art of the Hybrid Cloud
* Mobility
* See All Topics
* Downloads
* Reviews
* Galleries
* Videos
* uk
* Asia
* Australia
* Europe
* India
* United Kingdom
* United States
*
* ZDNet around the globe:
* ZDNet France
* ZDNet Germany
* ZDNet Korea
* ZDNet Japan
*
* * * Preferences
* Community
* Newsletters
* Log Out
must read: Managers aren't worried about keeping their IT workers happy. That's
bad for everyone
BLACKBERRY REPORT HIGHLIGHTS INITIAL ACCESS BROKER PROVIDING ENTRY TO STRONGPITY
APT, MOUNTLOCKER AND PHOBOS RANSOMWARE GANGS
Named "Zebra2104," the initial access broker helped out a variety of
cybercriminal groups and nation-states attacking businesses in Turkey and
Australia.
*
*
*
*
*
*
*
By Jonathan Greig | November 5, 2021 | Topic: Security
A new report from BlackBerry has uncovered an initial access broker called
"Zebra2104" that has connections to three malicious cybercriminal groups, some
of which are involved in ransomware and phishing.
ZDNET RECOMMENDS
The best cybersecurity certifications
Cybersecurity certifications can help you enter an industry with a high demand
for skilled staff.
Read More
The BlackBerry Research & Intelligence team found that Zebra2104 provided entry
points to ransomware groups like MountLocker and Phobos as well as the
StrongPity APT. The access was provided to a number of companies in Australia
and Turkey that had been compromised.
The StrongPity APT targeted Turkish businesses in the healthcare space as well
as smaller companies. BlackBerry said that from their research, they believe the
access broker "has a lot of manpower or they've set up some large 'hidden in
plain sight' traps across the internet."
The report said their investigation led them to believe that the MountLocker
ransomware group had been working with StrongPity, an APT group dating back to
2012 that some alleged was a Turkish state-sponsored group.
Countries attacked by StrongPity.
BlackBerry
"While it might seem implausible for criminal groups to be sharing resources, we
found these groups had a connection that is enabled by a fourth; a threat actor
we have dubbed Zebra2104, which we believe to be an Initial Access Broker (IAB).
There is undoubtedly a veritable cornucopia of threat groups working in cahoots,
far beyond those mentioned in this blog," the researchers said, noting that they
discovered the group while conducting research for a book about cyber threat
intelligence.
"This single domain led us down a path where we would uncover multiple
ransomware attacks, and an APT command-and-control (C2). The path also revealed
what we believe to be the infrastructure of an IAB -- Zebra2104. IABs typically
gain entry into a victim network then sell that access to the highest bidder on
underground forums located in the dark web. Later, the winning bidder will
deploy ransomware and/or other financially motivated malware within the victim's
organization, depending on the objectives of their campaign."
ZDNET RECOMMENDS
* Best VPN services
* Best security keys
* Best antivirus software
* The fastest VPNs
Their research began in April 2021, when they discovered curious behavior from
domains that were identified previously in a Microsoft report on servers that
"had been serving malspam that resulted in varying ransomware payloads, such as
Dridex, which we were able to corroborate."
A few of the domains had been involved in a phishing campaign that went after
state government departments in Australia as well as real estate companies there
in September 2020. With the help of other Microsoft reports, the researchers
were able to trace the campaigns further to an indicator of compromise of a
MountLocker intrusion.
"Sophos has supposed that the MountLocker group has links to, or has in fact
become, the recently emerged AstroLocker group. This is because one of the
group's ransomware binaries has been linked to a support site of AstroLocker.
It's possible that this group is trying to shed any notoriety or baggage that it
had garnered through its previous malicious activities," the report added after
explaining a number of technical links between the two groups.
The BlackBerry Research & Intelligence team then used WHOIS registrant
information and other data that led them to discover ties between the Phobos
ransomware and MountLocker.
"This new information presented a bit of a conundrum. If MountLocker owned the
infrastructure, then there would be a slim chance of another ransomware operator
also working from it (although it has happened before). In several instances, a
delay was observed between an initial compromise using Cobalt Strike and further
ransomware being deployed. Based on these factors, we can infer that the
infrastructure is not that of StrongPity, MountLocker, or Phobos, but of a
fourth group that has facilitated the operations of the former three. This is
either done by providing initial access, or by providing Infrastructure as a
Service (IaaS)," the report said.
"An IAB performs the first step in the kill chain of many attacks; this is to
say they gain access into a victims' network through exploitation, phishing, or
other means. Once they have established a foothold (i.e., a reliable backdoor
into the victim network) they then list their access in underground forums on
the dark web, advertising their wares in the hopes of finding a prospective
buyer. The price for access ranges from as little as $25, going up to thousands
of dollars."
Many IABs base their price on the annual revenue that the victim organization
generates, creating a bidding system that allows any group to deploy whatever
they want.
BlackBerry
"This can be anything from ransomware to infostealers, and everything in
between. We believe that our three threat actors -- MountLocker, Phobos and
StrongPity, in this instance – sourced their access through these means," The
BlackBerry Research & Intelligence team explained.
The report notes that the domains resolved to IPs that were provided by the same
Bulgarian ASN, Neterra LTD. While they wondered whether the access broker was
based in Bulgaria, they surmised that the company was simply being taken
advantage of.
The researchers said the "interlinking web of malicious infrastructure"
described throughout the report showed that cybercriminal groups mirrored the
business world in that they are run like multinational enterprises.
"They create partnerships and alliances to help advance their nefarious goals.
If anything, it is safe to assume that these 'business partnerships' are going
to become even more prevalent in future," the researchers said.
"To counter this, it is only via the tracking, documenting, and sharing of
intelligence in relation to these groups (and many more) that the wider security
community can monitor and defend against them. This cooperation will continue to
further our collective understanding of how cybercriminals operate. If the bad
guys work together, so should we!"
SECURITY
* Exchange Server bug: Patch immediately, warns Microsoft
* Average ransomware payment for US victims more than $6 million
* Microsoft Patch Tuesday: 55 bugs squashed, two under active exploit
* Suspected REvil ransomware affiliates arrested
* The best phishing target? Your smartphone
* Why you need this $29 security key
Blackberry | Security TV | Data Management | CXO | Data Centers
Show Comments
LOG IN TO COMMENT
* My Profile
* Log Out
| Community Guidelines
JOIN DISCUSSION
Add Your Comment
Add Your Comment
RELATED
*
*
*
*
*
* Arrests were made, but the Mekotio Trojan lives on
* Why your next laptop is going to be 16-inches
* Almost half of rootkits are used for cyberattacks against government
organizations
* Telstra somewhat opens up 5G fixed wireless service with single 1TB plan for
AU$85
* North Korean hackers target the South's think tanks through blog posts
* Meet Lyceum: Iranian hackers targeting telecoms, ISPs
* Australia's Bartle Frere Bananas using IoT and data to improve banana
traceability
* Complaints to Australia's telco ombudsman continue on a downward trend
* Telstra wants transparency reports to be mandatory for telcos in regional
Australia
Please review our terms of service to complete your newsletter subscription.
You agree to receive updates, promotions, and alerts from ZDNet.com. You may
unsubscribe at any time. By joining ZDNet, you agree to our Terms of Use and
Privacy Policy.
You agree to receive updates, promotions, and alerts from ZDNet.com. You may
unsubscribe at any time. By signing up, you agree to receive the selected
newsletter(s) which you may unsubscribe from at any time. You also agree to the
Terms of Use and acknowledge the data collection and usage practices outlined in
our Privacy Policy.
Continue
NEWSLETTERS
You have been successfully signed up. To sign up for more newsletters or to
manage your account, visit the Newsletter Subscription Center.
ZDNet Security Your weekly update on security around the globe, featuring
research, threats, and more. Email Address Subscribe
See All
See All
ZDNet
Connect with us
© 2021 ZDNET, A RED VENTURES COMPANY. ALL RIGHTS RESERVED. Privacy Policy |
Cookie Settings | Advertise | Terms of Use
* Topics
* Galleries
* Videos
* Sponsored Narratives
* Do Not Sell My Information
* About ZDNet
* Meet The Team
* All Authors
* RSS Feeds
* Site Map
* Reprint Policy
* Manage | Log Out
* Join | Log In
* Membership
* Newsletters
* Site Assistance
* ZDNet Academy
Cookie Settings
We use cookies and similar technologies to understand how you use our services,
improve your experience and serve you personalized content and advertising. By
clicking "Accept All", you accept all cookies. By clicking "Reject All", you
reject all cookies except Strictly Necessary cookies. To manage your cookies and
learn more about our use of cookies click “Cookie Settings”.Learn more.
Cookie Settings Reject All Accept All