Google Discovers Threat Actor Working as an 'Initial Access Broker' for Conti Ransomware Hackers
Google's Threat Analysis Group has observed a financially-motivated threat actor working as an intermediary for the Russian hackers, including the Conti ransomware gang. From a report: The group, which Google refers to as "Exotic Lily," acts as an initial access broker, finding vulnerable organizations and selling access to their networks to the highest bidder. By contracting out the initial access to a victim's network, ransomware gangs like Conti can focus on the execution phase of an attack. In the case of Exotic Lily, this initial access was gained through email campaigns, in which the group masqueraded as legitimate organizations and employees through the use of domain and identity spoofing. In the majority of cases, a spoofed domain was nearly identical to the real domain name of an existing organization, but changed the top-level domains to ".us," ".co" or ".biz." In order to appear as legitimate employees, Exotic Lily set up social media profiles and AI-generated images of human faces. The attackers, which Google believes are operating from Central or Eastern Europe due to the threat actors' working hours, would then send spear-phishing emails under the pretext of a business proposal, before ultimately uploading a payload to a public file-sharing service such as WeTransfer or Microsoft OneDrive.
Read more of this story at Slashdot.