An initial access broker, working on behalf of the Conti ransomware group (among others), has been targeting hundreds of organizations every day, leveraging a flaw in MSHTML, a proprietary browser engine for Windows, Google’s researchers are saying.
Google’s Threat Analysis Group found a group dubbed “Exotic Lily” working as an initial access broker – breaching target networks, before selling the acquired access to the highest bidder.
Ransomware operators often outsource the initial access efforts, in order to focus entirely on the distribution of the ransomware itself, and the subsequent push towards ransom payment.
Fake LinkedIn scam
Exotic Lily was relatively advanced in its tactics, and uses “unusual” amounts of gruntwork, for a mass-scale operation, Google claims.
The group would use domain and identity spoofing to pose as a legitimate business, and send out phishing emails, usually faking a business proposal. They would also use publicly available Artificial Intelligence (AI) tools to generate authentic images of humans, to create fake LinkedIn accounts, which would help the campaign’s credibility.
After initial contact has been made, the threat actor would upload malware to a public file-sharing service, such as WeTransfer, to avoid detection by antivirus programs, and increase the chances of delivery to the target endpoint. The malware, usually a weaponized document, exploits a zero-day in Microsoft’s MSHTML browser engine, tracked as CVE-2021-40444. The second-stage deployment usually carried the BazarLoader.
Google’s researchers believe the group stands alone, and works for the higher bidder. So far, it’s been linked to Conti, Diavol, a swell as Wizard Spider (an alleged operator for the Ryuk ransomware).
Exotic Lily was first spotted in September last year, and at peak performance, is able to send out more than 5,000 phishing emails to more than 650 organizations, Google claims. It seems the threat actor focuses mostly on firms in IT, cybersecurity, and healthcare, although it’s been casting a somewhat larger net, as of lately.
Via: TechCrunch
English
Arabic
Belarusian
Bengali
Bosnian
Bulgarian
Chinese (Simplified)
Croatian
Czech
Danish
Dutch
Estonian
Filipino
Finnish
French
Georgian
German
Greek
Gujarati
Hausa
Hebrew
Hindi
Hmong
Hungarian
Igbo
Indonesian
Italian
Japanese
Javanese
Kazakh
Korean
Kurdish (Kurmanji)
Kyrgyz
Lao
Latvian
Lithuanian
Macedonian
Malagasy
Norwegian
Persian
Polish
Portuguese
Punjabi
Romanian
Russian
Serbian
Slovak
Slovenian
Spanish
Swedish
Thai
Turkish
Ukrainian
Vietnamese
Yoruba