Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Security

Google Discovers Threat Actor Working as an 'Initial Access Broker' for Conti Ransomware Hackers (techcrunch.com) 20

Google's Threat Analysis Group has observed a financially-motivated threat actor working as an intermediary for the Russian hackers, including the Conti ransomware gang. From a report: The group, which Google refers to as "Exotic Lily," acts as an initial access broker, finding vulnerable organizations and selling access to their networks to the highest bidder. By contracting out the initial access to a victim's network, ransomware gangs like Conti can focus on the execution phase of an attack. In the case of Exotic Lily, this initial access was gained through email campaigns, in which the group masqueraded as legitimate organizations and employees through the use of domain and identity spoofing. In the majority of cases, a spoofed domain was nearly identical to the real domain name of an existing organization, but changed the top-level domains to ".us," ".co" or ".biz." In order to appear as legitimate employees, Exotic Lily set up social media profiles and AI-generated images of human faces. The attackers, which Google believes are operating from Central or Eastern Europe due to the threat actors' working hours, would then send spear-phishing emails under the pretext of a business proposal, before ultimately uploading a payload to a public file-sharing service such as WeTransfer or Microsoft OneDrive.
This discussion has been archived. No new comments can be posted.

Google Discovers Threat Actor Working as an 'Initial Access Broker' for Conti Ransomware Hackers

Comments Filter:
  • Saying Threat Actors makes you look like an ignorant idiot pretending to know what you are talking about.

    The only time Threat Actors is appropriate, rather than criminals, is when they are terrorists or spies and not interested in stealing money. That is why government agencies use it, they deal with terrorists and spies.

    But this is about crime, not politics. So call them Criminals.

    • You're gonna look really stupid when it turns out they're actually also both terrorists and spies.

    • Threat actors is the appropriate terminology at this point.
      You don't know whether it's government agents, employees of a business, or a bunch of random people who operate largely independently for their own reasons and goals.

      If by chance they are in Russia, they probably aren't even criminals. A criminal is someone who violates the criminal laws instituted by the authorities of the jurisdiction where they live. It's entirely likely this group has the blessing of the relevant authorities.

      All we really know

      • by PPH ( 736903 )

        Threat actors is the appropriate terminology at this point.

        This.

        You don't know whether it's government agents,

        Nor do they in many cases. They cultivate contacts within target organizations that they can sell to whoever is willing to pay.

      • That is incorrect. They were expressly described as "financially motivated" middlemen.

        Financially motivated = criminals, not state actors, not activists, etc.

        If the only thing we know is they are financially motivated, call them what they are CRIMINALS.

        Anything else is jargon being used to convince morons the speaker is smarter than them.

        • > They were expressly described as "financially motivated" middlemen.
          > Financially motivated = criminals

          Most people who do things based on being financially motivated are called "employees". Most likely, you spend most of your day doing something because you're financially motivated to do it. Something called your "job".

          The definition of criminals is based on whether it's a crime where they live, it's based on whether the authorities in charge of their area have declared that hacking US companies is

    • by spun ( 1352 )

      https://home.sophos.com/en-us/... [sophos.com]

      Hmm, yes. Someone did end up looking pretty ignorant here.

      • I read that article and thought what a bunch of morons.

        These are the same idiots that thought using words like "Synergy", "Enterprise", "Core Competency", "Buy-in" etc. will suddenly make them sound competent.

        The article about MIDDLEMEN, making money. Middlemen making money are NEVER inside threats, nation states, etc.

        This is pure and simple Jargon. It has it's place when you are:

        1) Not yet certain what specific terms are appropriate,

        are

        2) Talking with other PROFESSIONALS, so you are totally clear

        If both

        • by spun ( 1352 )

          Why should your word mean anything? Are you published in the field? Got any links to your academic credentials?

          Your ignorance here is a match for your hubris. We live under a legal system. Criminal has a specific meaning in a legal system: someone CONVICTED of a crime. Even when caught in the act, someone is not a criminal until convicted.

          Threat actor is the accepted and most commonly used terminology in the field of computer security, used to refer to unknown actors who are, you guessed it, a threat to sec

    • Comment removed based on user account deletion
  • by kyoko21 ( 198413 )

    If you think about it, what they are doing is no different than what a lot of B2B do. Businesses these days specialize in their area expertise and outsource/contract out the work that is outside their wheel house. In this case, the end goal of all of this is to get some company to pay up. At least to these "gangs" they have broken down the vertical to assessment and attack/payout. You have one group that is clearly very good at finding out weaknesses of various organizations because they have specialized in

  • Who didn't know the buying and selling of accesses is often de-coupled from the actual data exfil/ransomware stages?

  • We used to call them career-criminals.

  • In an incident at the end 2019 we had an attack on one of our customers. During the incident we noticed that the style and quality of work abruptly changed about 3 weeks after the initial incursion. While the initial attacker was very stealthy and was using carefully crafted RAT tools, suddenly we saw well known malware popping up. Due to the shift in these patterns and based on external forensic analysis we concluded, that a "account" had been handed over from one criminal group to another.

    This conclusion

  • The Top Level Domains (TLDs) in the story seem diverse at first sight: .us, .co (Colombia's national ccTLD) and .biz. But there is a link: all are administered by GoDaddy Registry.

    It seems the criminals have identified a weakness in the brand protection and/or abuse prevention at that registry, and are busy exploiting it.

It isn't easy being the parent of a six-year-old. However, it's a pretty small price to pay for having somebody around the house who understands computers.

Working...