New Threat Actor Exotic Lily Is an Access Broker for Russian Hackers, Including the Conti Gang

Russia says it's facing unprecedented wave of hacking attacks, CISA warns of SATCOM threats, Anonymous seemingly took control of cameras inside Russia to display message, much more

Mar 18

Google’s Threat Analysis Group observed a financially motivated threat actor it calls Exotic Lily working as an intermediary for Russian hackers, including the Conti ransomware gang.

The group acts as an initial access broker, finding vulnerable organizations and selling access to their networks to the highest bidder, freeing up ransomware gangs such as Conti to focus on the execution phase of an attack. Directing targets to spoofed domains via email campaigns, Exotic Lily tees up malware infection by setting up social media profiles and AI-generated images of human faces to appear as legitimate employees before sending spear-phishing emails under the pretext of a business proposal.

Google’s researchers confirm Exotic Lily’s relationship with a Russian cybercrime group tracked as Wizard Spider (also known as UNC1878), linked to the notorious Ryuk ransomware used to target businesses, hospitals institutions since 2018. (Carly Page / TechCrunch)

Thomas Brewster @iblametom

Interesting new report from Google TAG on access brokers. blog.google/threat-analysi… I wrote about one access broker the week the war was breaking out - one of them hit Doctors Without Borders, amongst many other companies:

forbes.comHackers Sell Backdoors Into A $2 Billion Nonprofit, A Californian Hospital, And Michigan GovernmentCybercriminals are charging anything from $500 to $7,000 for access to organizations’ computers and morals appear to have gone out the window, as Doctors Without Borders and a U.S. hospital are targeted.

The Russian Ministry of Digital Development and Communications said that Russian government websites and state-run media face an “unprecedented” wave of hacking attacks, prompting regulators to filter traffic coming from abroad.

The ministry said the attacks were at least twice as powerful as any previous ones. It did not elaborate on what filtering measures had been implemented, but this has often meant barring Russian government websites to users abroad in the past. (Mary Ilyushina / Washington Post)

Related: Axios

The Cybersecurity and Infrastructure Security Agency (CISA) and the FBI said they're aware of "possible threats" to satellite communication (SATCOM) networks in the US and worldwide.

The warning comes after the KA-SAT network of US satellite communications provider Viasat, used intensively by the Ukrainian military, was affected by a cyberattack that led to satellite service outages in Central and Eastern Europe after Russia invaded Ukraine. (Sergiu Gatlan / Bleeping Computer)

Related: Homeland Security Today, CISA

Hackers claiming affiliation with the hacking collective Anonymous took down dozens of CCTV cameras seemingly located inside Russia and displayed the message "Putin is killing children” and other messages over them.

“352 Ukraine civilians dead. Russians lied to 200RF.com. Slava Ukraini! Hacked by Anonymous,” the message displayed on the feeds says. 200RF.com is another site posting information about Russian soldiers in Ukraine. The hackers also created a website containing live feeds of these security cameras called “Behind Enemy Lines.” (Joseph Cox / Motherboard)

Related: Raw Story, Security Affairs

Hackers who say they belong to the hacktivist movement Anonymous leaked over 79 gigabytes of emails from the Russian state-controlled pipeline company Transneft amid the country’s ongoing bombardment of Ukraine.

The hackers provided the data trove to the journalist non-profit group DDoSecrets. The emails appear to have originated from Transneft’s R&D department, known as the OMEGA Company. The hackers also sarcastically dedicated their breach to former Secretary of State Hillary Clinton, who encouraged cyberattacks and non-governmental action against the Russian state. (Mikael Thalen / Daily Dot)

Related: The Verge

Hacking collective Anonymous has leveled a threat at controversial GOP Congresswoman Marjorie Taylor Greene after she released a nearly 10-minute video in which she stated that Ukrainians are fighting "a war [against Russia] they cannot win.

"Russian asset Marjorie Taylor Greene will go down in history as one of the dumbest politicians ever. History will not be kind to you, nor will we," the Twitter account @YourAnonNews wrote. (Daniel Villarreal / Newsweek)

Related: Washington Examiner

Anonymous @YourAnonNews

@RepMTG @BillKristol Russian asset Marjorie Taylor Greene will go down in history as one of the dumbest politicians ever. History will not be kind to you, nor will we. #Anonymous

Researchers at Trend Micro say that multiple ASUS router models are vulnerable to the Russia-linked Cyclops Blink malware threat linked to the Russian-backed APT group Sandworm.

Cyclops Blink establishes persistence for threat actors on the device, allowing them a point of remote access to compromised networks. The researchers warn that the malware features a specialized module that targets several ASUS routers, allowing the malware to read the flash memory to gather information about critical files, executables, data, and libraries. Trend Micro published mitigations for the security risk. (Bill Toulas / Bleeping Computer)

Catalin Cimpanu @campuscodi

The Cyclops Blink malware/botnet has expanded its targeting from WatchGuard firewalls to ASUS routers, per a new report published today by Trend Micro: trendmicro.com/en_us/research…

Catalin Cimpanu @campuscodi

The FBI, CISA, NSA, and UK's NCSC have published a report today detailing Cyclops Blink, a new IoT malware strain they claim was developed by the Sandworm APT (previously linked to Russia's GRU military intelligence service) https://t.co/rpWTieQWcE https://t.co/opbiQ2q8XW

Microsoft released a scanner that detects MikroTik routers hacked by the TrickBot gang to act as proxies for command and control servers.

Microsoft researchers say that the TrickBot gang targeted vulnerable MikroTik routers using various methods to incorporate them as proxies for C2 communications. The threat actors appear to have an in-depth knowledge of the limited functions of the Linux-based OS in MikroTik devices, using custom SSH commands that would make little sense on other devices. (Bill Toulas / Bleeping Computer)

The BlackBerry Threat Intelligence team has discovered a new type of ransomware known as LokiLocker, which encrypts the data on affected PCs and then demands payment.

If payment demands are not met, LokiLocker deletes all data on the computer. In an unusual characteristic, the ransomware is well-written in English. BlackBerry suspects that some of the cracking tools used in LokiLocker were made by the Iranian cracking team called AccountCrack. (Sean Endicott / Windows Central)

Related: BlackBerry, Tech Republic, CSO Online

In a 4-0 vote, the U.S. Federal Communications Commission (FCC) voted to revoke authorization for Chinese telecom Pacific Networks and its wholly-owned subsidiary ComNet to provide U.S. telecommunications services, citing national security concerns.

The FCC says the carriers are ultimately controlled by CITIC Group Corp, a Chinese state-owned limited liability company. In March 2021, the FCC found Pacific Networks and ComNet had failed to "dispel serious concerns regarding their retention of their authority to provide telecommunications services in the United States." (David Shepardson / Reuters)

Related: Bloomberg, The Hill, PC Mag, Associated Press, FCC.gov

Franco Gabrielli, Italy’s state undersecretary for security, told the Senate that the government was working on rules to allow state bodies to pull the plug on software developed by the Russia-based Kaspersky Lab.

Under the new rules, the government would let public administrations replace all potentially harmful software without facing penalties. Germany's cyber security agency warned users of the Kaspersky software earlier this week that it posed a severe risk of a successful hacking attack. (Angelo Amante / Reuters)

Related: Barron’s, Komando.com

TransUnion South Africa confirmed that a “criminal third party” gained access to one of its servers and demanded $15 million (R223 million) ransom over four terabytes of compromised data.

A hacker group N4aughtysecTU, which claims to hail from Brazil, has reportedly claimed responsibility for the hack, and the company said it would not meet their ransom demands. The hacker group claims it stole credit scores, banking details, and ID numbers. So weak were the IT systems that the password TransUnion used was the word “Password,” says the group. (Admire Moyo / IT Web)

Related: TechCentral, The South African

Researchers at Wordfence say they spotted a spike in backdoor infections on WordPress websites hosted on GoDaddy's Managed WordPress service, all featuring an identical backdoor payload.

The case affects internet service resellers such as MediaTemple, tsoHost, 123Reg, Domain Factory, Heart Internet, and Host Europe Managed WordPress. Wordfence first observed the malicious activity on March 11, 2022, with 298 websites infected by the backdoor within 24 hours, 281 of which were hosted on GoDaddy. The backdoor is a 2015 Google search SEO-poisoning tool implanted on the wp-config.php to fetch spam link templates from the C2 to inject malicious pages into search results. GoDaddy has offered no comment on the findings. (Bill Toulas / Bleeping Computer)

Related: TechRadar, Exploit One, Slashdot, Wordfence

Image by Pete Linforth from Pixabay