The new year is often a time for change and arrives ladened with various prognostications. Be they personal, professional or corporate — every new year brings with it the promise of evolution. Although much of the new year will be a repeat of what we failed to learn and remember from the past, there will be that which presents itself as novel.
For my first column of 2022, I wanted to shine a light on one such novel and evolving way in which the cybercriminal business model will present itself: an increasing utilization of large Initial Access Brokers.
Back in November, the BlackBerry Research and Intelligence team identified an unusual connection between the actions of three distinct threat groups: MountLocker, Phobos and StrongPity. The discovery was intriguing given not how similar these actors are, but how, in fact, they differ.
Mountlocker's ransomware is targeted at geographically diverse enterprise-sized companies, and the outfit often scales its attacks through niche verticals, with the healthcare and life sciences sectors being the two most recent targets. At the same time, StrongPity provides sophisticated advanced persistent threat or APT-level attacks generally used in espionage bids, with the most recent activity being seen in Turkey. Perhaps the most unexpected of the three is Phobos and its ransomware, which targets small organizations en masse and is listed by the U.S. Treasury as one of the most prevalent in the U.S.
These threat groups don’t share similar targets, and StrongPity doesn’t even share the same intrusion tactic. So how was it that these three dramatically different criminal organizations were exposed as connected?
The disparate motives of the three groups led the research team to examine not what connects them, but who. In the wake of that shift in focus, our team uncovered a new threat actor — Zebra2104 — who has been acting as an Initial Access Broker (IAB) for other criminal organizations.
Generally, an IAB will perform the first aggressive step in the chain of an attack. They will gain access into a victim’s network through exploitation, phishing or other means. Once they have established a reliable entry point into the victim’s network, the IAB will disclose this means of access in underground forums on the dark web, advertising their accomplishments in hopes of finding a buyer. The price for access can range from as little as $25 up to thousands of dollars. Typically, the bigger a compromised organization — or the bigger the organization’s partners — the higher the fee. After a sale, the winning bidder will deploy their malware of choice — anything from ransomware to information-stealing malware and everything in between.
The three threat actors mentioned target victims that range widely in geography, industry and size. In order to have gained such access to this spectrum of victims, the team concluded that Zebra2104 must have either a sizable workforce or have successfully sabotaged diverse forums on the Internet.
In either case, Zebra2104 reflects a scale of IAB not commonly seen.
The notion that Zebra2104 may be the cyber underground equivalent of a ‘Fortune 500’ company, providing services to other notable ‘businesses,’ is as unsettling as it is plausible. This provides new insight into the current cybercrime landscape, showing how it continues to evolve and present new challenges to the security community.
Perhaps the most significant takeaway from the research is that threat actors are connecting and sharing tools in ways that are both more menacing and cost effective. They are forming new partnerships and optimizing their resources to better meet their nefarious ends. This bolsters the calls for us as a security community to augment the manner in which we coordinate, share and work together in our 2022 fight against the rising tide of cybercrime.
This means more than simply building the best cybersecurity and resiliency policies into your own business. It means continuously tracking, documenting and sharing intelligence across our community so we can all stay one step ahead. As the cybercriminal community increases its connectivity, we as security professionals must do so as well.