Network Intruders Selling Access To High-Value Companies
Breaching corporate networks and selling access to them is a business in and of itself. For many hackers, this is how they make their living, others do it forced by financial struggles to supplement their revenue.
One actor claiming they returned to black hat activities after laying low for a while has recently churned out network access credentials for big and small companies across the world.
Web of network intruders
Using the alias bcorp33, the network intruder appears to be collaborating with affiliates of FXMSP, the threat actor recently indicted by the U.S. Department of Justice for hacking into and selling access to over three hundred organizations.
FXMSP is the same group of hackers that a little over a year ago was advertising access to networks belonging to Symantec, McAfee, and Trend Micro (official statements).
Yelisey Boguslavskiy, AdvIntel director of security research told BleepingComputer that FXMSP was the hacking part of a larger crew that also marketed and monetized network access and data collected from the intrusions.
This non-hacking part of the gang uses various affiliates to promote stolen information to whoever is willing to pay the price. It is estimated that this group made over $1.5 million from selling network access.
One alias used for this operation on multiple cybercrime forums is Antony Moricone but other screen names are being used for the same purpose. It is unclear if one or several actors are handling these profiles.
Threat Intelligence firm Shadow Intelligence believes that bcorp33 is a new affiliate of the FXMSP group, along with Drumrlu and Marlon_Brando.
This conclusion is based on posts from these profiles promoting network access to the same companies and for the same prices. Furthermore, when the price dropped in one ad, it would reflect in posts from the other profiles.
According to Shadow Intelligence, the victim in the screenshot above is the nuclear power plant at Cernavoda in Romania and “drumrlu” has sold access to its network.
Another actor in the same business is “Marlon_Brando,” and they are also being promoted by Antony Moricone, as seen in the posts below from the two actors selling the same items on different forums:
It is possible that Moricone and their affiliates may act as a “marketing department” advertising access from network intruders like bcorp33.
In mid-July, Shadow Intelligence noticed that bcorp33 was selling VPN access to nine entities ($1,300 each) that included PepsiCo food and beverage corporation and government organizations in Taiwan and Peru.
The actor sold credentials for some of these organizations and there is high confidence that they closed the deal for all of them by now.
bcorp33 larger victims
It appears that bcorp33 compromised Pulse Secure VPN deployed at victim organizations by exploiting CVE-2019-11510 and maintained access after the patch was applied.
Shadow Intelligence believes that the initial breach occurred months in advance and that the actor also leverages for this the CVE-2020-5902 vulnerability in F5’s Big-IP devices (patched on July 1, 2020).
In conversations with the researchers, the actor stated that they are also using botnets to identify and enumerate targets so they can find potential victims and that they can get domain admin access for most of the networks given enough time (two-three days).
A hint about this tactic is given in the advertisement for selling VPN credentials for PepsiCo, a post that was also published by Antony Moricone on a different hacker forum, indicating a collaboration of some sort between the two.
It is worth noting that the security company back in July saw three other actors also offered to sell at least seven credentials for PepsiCo (sso.mypepsico.com).
Also read: 4 easy guides to data breach assessment
Shadow Intelligence alerted the companies and the Computer Emergency and Response Teams (CERT) in their countries. Replying to Shadow Intelligence, PepsiCo said they were aware of the offer on the dark web and they were taking action about it.
The same cross-posting occurred with VPN access for a large South Korean corporation. The initial price was $13,000, later lowered to $10,000 and it reflected in ads from both bcorp33 and Antony Moricone.
Although the actor stated that the victim was a car manufacturer and Shadow Intelligence identified it as Hyundai, BleepingComputer learned that it was Hyundai Corporation, which is part of the Hyundai Heavy Industries Co., Ltd. (HHI) shipbuilding business.
These are just a couple of the breaches associated with bcorp33. In multiple tweets from Shadow Intelligence, it is clear that this is a prolific actor that has shifted focus to breaching larger companies.
At the end of July, the researchers found adverts from this individual asking $6,000 for access to a major online media corporation in Norway that has a “large software development division” of 200 people out of 5,000 employees.
In another post, they asked $10,000 for VPN credentials to a company with 220,000 workers. For domain admin, a buyer would have to pay $13,000 and wait a few more days. This organization was later identified as the LG Electronics’ Research & Development department in North America.
LG Electronics suffered a breach from Maze ransomware operators, who announced the attack in late June, saying that they had stolen 40GB of source code from the manufacturer.
However, bcorp33 claimed on August 3 that they had compromised some network accounts, some with domain-level privileges, one belonging to a senior systems and network administrator at LG’s R&G in Silicon Valley.
The actor also claimed that they would deploy Phobos ransomware if they did not sell the access in four days.
Shadow Intelligence verified that bcorp33’s breach was real through screenshots provided by the intruder. These show access to the aforementioned networks mainly via Pulse Secure VPN, to the LDAP server tree, and successful enumeration of available hosts.
In private chats with researchers, the network intruder, who also uses the alias “arkangel,” said that they had about 12 years of experience in black hat activity and that they recently returned to the scene due to financial difficulties.
Also read: 7 Client Data Protection Tips to Keep Customers Safe
0 Comments