Google’s Threat Analysis Group (TAG) took the wraps off a new initial access broker that it said is closely affiliated to a Russian cybercrime gang notorious for its Conti and Diavol ransomware operations.
Dubbed Exotic Lily, the financially motivated threat actor has been observed exploiting a now-patched critical flaw in the Microsoft Windows MSHTML platform (CVE-2021-40444) as part of widespread phishing campaigns that involved sending no fewer than 5,000 business proposal-themed emails a day to 650 targeted organizations globally.
“Initial access brokers are the opportunistic locksmiths of the security world, and it’s a full-time job,” TAG researchers Vlad Stolyarov and Vlad Stolyarov said. “These groups specialize in breaching a target in order to open the doors — or the Windows — to the malicious actor with the highest bid.”
Exotic Lily, first spotted in September 2021, is said to have been involved in data exfiltration and deployment of the human-operated Conti and Diavol ransomware strains, both of which share overlaps with Wizard Spider, the Russian cybercriminal syndicate that’s also known for operating TrickBot, BazarBackdoor, and Anchor.
“Yes, this is a possibility, especially considering this is more sophisticated and targeted than a traditional spam campaign, but we don’t know for sure as of now,” Google TAG told The Hacker News when asked whether Exotic Lily could be another extension of the Read more:https://bit.ly/3IuJMrQ