Security News > 2022 > March > The TTPs of Conti’s initial access broker

Automation might be the way to go for many things, but a recently published report by Google's Threat Analysis Group shows why targeted phishing campaigns performed by human operators are often successful, and how the Conti ransomware gang excels at targeting organizations with the help of an initial access broker.

Exotic Lily: A threat actor specializing in gaining initial access into organizations.

TAG researchers Vlad Stolyarov and Benoit Sevens have delineated the tactics, techniques and procedures used by an initial access broker they dubbed Exotic Lily.

"Using spoofed email accounts, attackers would then send spear phishing emails under the pretext of a business proposal, such as seeking to outsource a software development project or an information security service," TAG analysts explained.

After a few exchanged emails discussing business, they would upload a malicious payload to a public file-sharing service such as TransferNow, TransferXL, WeTransfer or OneDrive, and use the service's built-in email notification feature to share the file with the target.

These and other indicators point to a connection between this initial access broker and threat actors pushing the human-operated Conti and Diavol ransomware, though the analysts believe they are specialized, separate entities.

News URL

https://www.helpnetsecurity.com/2022/03/18/conti-initial-access/