Google LLC’s Threat Analysis Group today exposed an initial access broker with ties to the infamous Conti ransomware gang.

IAB’s are cybercriminals specializing in breaching companies and then selling access to ransomware gangs. Google calls them “the opportunistic locksmiths of the security world.”

Dubbed “Exotic Lily,” the group is described as resourceful and financially motivated with activities closely linked to both Conti and the Diavol ransomware gang. The group primarily uses spear-phishing campaigns, sending emails that pretend to be from legitimate organizations and employees using domain and identity spoofing.

The domain spoofing involved the use of domains that were nearly identical to those of actual organizations. At the peak of its activity, the Google TAG researchers observed the group sending more than 5,000 emails a day to as many as 650 targeted organizations globally.

Initially, Exotic Lily targeted specific industries such as information technology, cybersecurity and healthcare but have recently been observed attacking a wide variety of organizations and industries, with a less specific focus.

Spear-phishing campaigns are not new, but Exotic Lily takes them to the next level. The group creates fake social media profiles, including LinkedIn profiles, using easily available employee data to make their emails appear authentic.

Exotic Lily would also send spear-phishing emails under the pretext of a business proposal, such as seeking to outsource a business development project or an information security service. The attackers would sometimes engage further, attempting to schedule a meeting to discuss the project’s design or requirements.

Having established a level of trust with the targeted victim, the group would then seal the attack by sharing the alleged project info — in reality, malware — with the victim. To add further credibility, the fake project info is not shared directly but via public file-sharing services such as TransferNow, Transfer XL, We Transfer and OneDrive.

“Cybercriminals will rely on people working through their emails as quickly as possible, as many users have their inbox rule their days,” James McQuiggan, security awareness advocate at security awareness training company KnowBe4 Inc., told SiliconANGLE. “Using the exact spelling but changing the top-level domain, the user could have the training to check the link, look for transposed letters or substituted letters and forget to check the characters that come after the period in the web address.”

McQuiggan noted that users must take the time when reviewing emails to ask themselves questions about the email to avoid being socially engineered. Do I know the sender? Am I expecting this? Do they want me to do something quickly?

“If any of the responses are unfavorable, it is best to review the email further, thoroughly check the links and verify the sender,” McQuiggan added. “It might take a few extra minutes, but that can save hours and months from a ransomware attack or data breach due to clicking on a malicious link.”

Photo: Public Domain Pictures