Zebra2014 Broker Shares Ransomware Resources
A newly discovered initial access broker (IAB), dubbed Zebra2104, has been enabling threat actors to share the resources of powerful ransomware groups StrongPity, Phobos and MountLocker and pose even greater danger to vulnerable companies.
“While it might seem implausible for criminal groups to be sharing resources, we found these groups had a connection that is enabled by a fourth; a threat actor we have dubbed Zebra2104,” the BlackBerry Research & Intelligence team wrote in a blog post. “There is undoubtedly a veritable cornucopia of threat groups working in cahoots, far beyond those mentioned in this blog.”
BlackBerry researchers describe an “interlinking web of malicious infrastructure” that they say “mirrors the legitimate business world, cybercrime groups are in some cases run not unlike multinational organizations.”
The bad actors build partnerships and alliances, as businesses do, to advance their goals. “If anything, it is safe to assume that these threat group ‘business partnerships’ are going to become even more prevalent in future,” researchers wrote.
“The opposing theory—that three groups with differing motivations and conflicting modi operandi would be working together in unison—would be highly unlikely,” explained Eric Milam, BlackBerry’s vice president of threat intelligence.
Shortly after the BlackBerry team started its research into a Cobalt Strike Beacon and the data contained within its configuration last April, it observed oddities in domains identified by a Microsoft report as serving malspam. Researchers came across a single domain that revealed “multiple ransomware attacks, and an APT command-and-control (C2),” they said, which led them to Zebra2014’s infrastructure. “IABs typically gain entry into a victim network, then sell that access to the highest bidder on underground forums located on the dark web,” according to BlackBerry.
The winning bidder then deploys “ransomware and/or other financially motivated malware within the victim’s organization, depending on the objectives of their campaign,” BlackBerry said.
The Blackberry team followed a trail leading to MountLocker, then found links to Phobos. “In several instances, a delay was observed between an initial compromise using Cobalt Strike and further ransomware being deployed,” the researchers wrote. They then “identified another domain sharing a past IP resolution, linked to the StrongPity APT group by Talos Intelligence in June of 2020,” the report said.
“Based on these factors, we can infer that the infrastructure is not that of StrongPity, MountLocker, or Phobos, but of a fourth group that has facilitated the operations of the former three,” they wrote. “This is either done by providing initial access, or by providing infrastructure-as-a-service (IaaS).”
The report explained that the “IAB performs the first step in the kill chain of many attacks; this is to say they gain access into a victims’ network through exploitation, phishing, or other means.” They work to establish a foothold such as a reliable backdoor into a victim network. “They then list their access in underground forums on the dark web, advertising their wares”—in some instances, for as little as $25—to lure prospective buyers.
IABs are on the rise—Digital Shadows earlier this year noted the uptick. “With this explosion of IAB activity across the board, coupled with an equally sized uptick of ransomware operators it is a perfect breeding ground for IABs to flourish,” BlackBerry’s Milam said.
Blackberry is seeing “not only a sign of a ransomware epidemic but also that of a maturing threat landscape where, instead of one threat actor performing the entire kill chain of attacks in-house, they can now save time and the cost of expertise to buy access from an IAB who has honed their craft on a specific portion of the kill chain—procuring initial access,” said Milam.
“For vulnerable companies, this is undoubtedly an alarming trend and one that is likely to continue and evolve further throughout the near future,” he said.
It’s hard to say if Zebra2104 will be a greater threat since it “is a new and previously undocumented IAB” with “no prior historical record of any past activities,” said Milam. “However, by comparing Zebra2104’s activities with other more well-known and prolific IABS, such as NetNet and Drumrlu, it is fair to say at this moment it is at the lower end of the scale. But considering its newness and the successful partnerships we have already seen developed with the threat groups mentioned in our report, it is likely that this is not the last we have seen of Zebra2104.”
Companies stave off attacks by taking preventative measures like providing cybersecurity hygiene and employee security training. “Simple techniques, such as phishing emails, are still one of the most successful methods of procuring initial access. Having the correct precautions in place can help to greatly lessen the risk factor facing organizations,” said Milam. “This coupled with rigorous patching and additional layers of security such as endpoint protection can improve your security posture against potential threats.”
The BlackBerry threat intelligence guru cautioned organizations to remain alert to these threats. “If you analyze this apparent threat group partnership closely, it resembles a relationship that a legitimate business organization would call ‘channel partners,’” said Milam. “It has been said before how much cybercrime organizations often operate like regular businesses – this is another facet of the legitimate business world that they have adopted, simply because it works so well.”
