Google Discovers Initial Access Broker Behind Conti Ransomware

Hey there, folks! I recently got some intriguing information that I wanted to share with you all. Remember a couple of months ago, in September 2021, when alarm bells started ringing about a new cyber threat actor? That one they dubbed “EXOTIC LILY”? Well, I’ve been digging around and found some fascinating insights that I thought my fellow cybersecurity and healthcare professionals would want to know.

It turns out at first everyone was thinking this “EXOTIC LILY” thing was just another typical group trying to worm their way into organizations, right? But hold on to your hats, because it turns out this group was what the guys who study this stuff full-time—those mavens in Google’s Threat Analysis Group—call an “Initial Access Broker” or IAB for short.

Check this out: IABs are like the criminal master locksmiths of the cyber world. They sneak their way into a target organization and then fling open the doors for the highest bidder. Pretty crafty (and scary), huh? Unsurprisingly, turns out these guys are both resourceful and financially motivated. But here’s something I didn’t see coming: they’re apparently tied to some Russian Cybercrime gang known by names like FIN12 or WIZARD SPIDER. Yikes!

Our elusive EXOTIC LILY has a bit of a rap sheet. They’re associated with activities like data theft and the deployment of those nasty ransomwares—Conti and Diavol—which, by the way, are human-operated. According to the Google Threat Analysis Group (or TAG if you’re into acronyms), our shady cyber group was sending a staggering 5,000 emails a day to around 650 organizations across the world. Can you imagine the sheer scale of that operation?

For a while, they mainly had their eyes set on the cybersecurity, IT, and healthcare industries, but by November 2021, their reconnaissance seemed to have broadened. They started to spread their net wide, launching attacks on a multitude of organizations and industries.

Their modus operandi? They cloak themselves in the guise of legitimate companies and employees, earning the trust of their targets. Sly, right? Then, they deliver their malicious software through commonly used file-sharing services. This strategy isn’t something you usually find among criminal groups that target organizations on a massive, worldwide scale. It’s more akin to a cunning fox than a break-and-enter burglar, which makes it even harder to spot.

One sneaky trick in their playbook involves spoofing an organization’s domain but using different extensions. This gives a deceptive air of credibility to their contacts. Then, they deliver their payload via file-sharing services, using the email features offered by these platforms. They even fill up the victim’s email ID to generate a link to a malicious payload, making the job of detection incredibly complex.

So, that’s the latest on EXOTIC LILY. As we navigate the tricky waters of cybersecurity in the healthcare field, it’s helpful to stay informed about these cloak-and-dagger operations. Remember, we’re all in this together, and knowledge is power. So, stay safe out there, and let’s keep having each other’s backs!

by Morgan Phisher | HEAL Security