Security News

Google's Threat Analysis Group took the wraps off a new initial access broker that it said is closely affiliated to a Russian cyber crime gang notorious for its Conti and Diavol ransomware operations. Dubbed Exotic Lily, the financially motivated threat actor has been observed exploiting a now-patched critical flaw in the Microsoft Windows MSHTML platform as part of widespread phishing campaigns that involved sending no fewer than 5,000 business proposal-themed emails a day to 650 targeted organizations globally.

Google's Threat Analysis Group has provided a rare look inside the operations of a cybercriminal dubbed "Exotic Lily," that appears to serve as an initial-access broker for both Conti and Diavol ransomware gangs. Researchers' analysis exposes the business-like approach the group takes to brokering initial access into organizations' networks through a range of tactics so its partners can engage in further malicious activity.

Automation might be the way to go for many things, but a recently published report by Google's Threat Analysis Group shows why targeted phishing campaigns performed by human operators are often successful, and how the Conti ransomware gang excels at targeting organizations with the help of an initial access broker. Exotic Lily: A threat actor specializing in gaining initial access into organizations.

Google's Threat Analysis Group has exposed the operations of a threat actor group dubbed "EXOTIC LILY," an initial access broker linked to the Conti and Diavol ransomware operations. It was determined that "EXOTIC LILY" is an initial access broker that uses large-scale phishing campaigns to breach targeted corporate networks and then sells access to those networks to ransomware gangs.

It was a Ukrainian security specialist who apparently turned the tables on the notorious Russia-based Conti, and leaked the ransomware gang's source code, chat logs, and tons of other sensitive data about the gang's operations, tools, and costs. The security vendor provided a detailed Conti org chart that shows Stern, "The big boss," at the top with henchmen responsible for HR and recruitment, blogging and negotiating, training, and blockchain wrangling, plus teams underneath.

The U.S. Cybersecurity and Infrastructure Security Agency has updated the alert on Conti ransomware with indicators of compromise consisting of close to 100 domain names used in malicious operations. Originally published on September 22, 2021, the advisory includes details observed by CISA and the Federal Bureau of Investigation in Conti ransomware attacks targeting organizations in the U.S. The updated cybersecurity advisory contains data from the U.S. Secret Service.

This week's biggest story is the massive data leak from the Conti ransomware operation, including over 160,000 internal messages between members and source code for the ransomware and TrickBot operation. A Ukrainian security researcher has leaked over 60,000 internal messages belonging to the Conti ransomware operation after the gang sided with Russia over the invasion of Ukraine.

Days after the Conti ransomware group broadcasted a pro-Russian message pledging its allegiance to Vladimir Putin's ongoing invasion of Ukraine, a disgruntled member of the cartel has leaked the syndicate's internal chats. The file dump, published by malware research group VX-Underground, is said to contain 13 months of chat logs between affiliates and administrators of the Russia-affiliated ransomware group from January 2021 to February 2022, in a move that's expected to offer unprecedented insight into the gang's workings.

The pro-Ukraine member of the Conti ransomware gang who promised to eviscerate the extortionists after they pledged support for the Russian government has spilled yet more Conti guts: The latest dump includes source code for Conti ransomware, TrickBot malware, a decryptor and the gang's administrative panels, among other core secrets. On Monday, vx-underground - an internet collection of malware source code, samples and papers that's generally considered to be a benign entity - shared on Twitter a message from a Conti member saying that "This is a friendly heads-up that the Conti gang has just lost all their sht."

Infamous ransomware group Conti is now the target of cyberattacks in the wake of its announcement late last week that it fully supports Russia's ongoing invasion of neighboring Ukraine, with the latest hit being the leaking of its source code for the public to see. The researcher leaked 393 JSON files containing more than 60,000 internal messages that reported were taken from the Conti and Ryuk ransomware gang's private XMPP chat server.