IntelBroker | |
Location | Serbia |
Date of initial activity | 2022 |
Suspected Attribution | Cybercriminals |
Motivation | Financial Gain |
Associated Tools | Endurance Ransomware |
Overview
IntelBroker, a sophisticated threat actor reportedly based in Serbia, has made headlines for its extensive and high-impact cyber operations. Known for targeting a diverse range of sectors, including government, telecommunications, automotive, and technology, IntelBroker has gained notoriety through its aggressive tactics and the use of advanced malware. The actor operates as an intelligence broker, not only breaching prominent organizations but also monetizing their compromised data on underground forums. This dual approach—data theft and sale—has cemented IntelBroker’s reputation as a formidable adversary in the cyber threat landscape.
Common targets
- Public Administration
- Information
- Manufacturing in countries like United States
- United Kingdom
- Sweden
Attack Vectors
Software Vulnerabilities
Associated Tools
Endurance Ransomware: This is the primary tool used by IntelBroker to conduct extortion operations. Endurance is a C#-based ransomware that acts more like wiping malware, overwriting file contents with random data, renaming files, and deleting them. The source code for Endurance is publicly available on the threat actor’s GitHub repository, which allows for its modification and widespread use.
How they operate
At the core of IntelBroker’s operations is the Endurance ransomware, a custom-developed strain designed to inflict significant damage on targeted organizations. Unlike conventional ransomware that encrypts files, Endurance acts more like wiping malware. It overwrites the contents of targeted files with random data, renames them with arbitrary strings, and then deletes them, rendering the data irretrievable. The ransomware’s source code is available on the threat actor’s GitHub repository, allowing for its distribution and adaptation across various cybercriminal circles. This method not only disrupts the victim’s operations but also complicates recovery efforts, pushing organizations towards paying ransoms.
IntelBroker’s tactics extend beyond the deployment of ransomware. The group is known for exploiting vulnerabilities in widely-used software to gain unauthorized access to systems. For instance, they have leveraged vulnerabilities such as CVE-2024-1597, which impacts Confluence Data Center and Server, to breach their targets. This exploitation of known weaknesses allows IntelBroker to infiltrate networks and gather valuable data, which is then sold on underground forums. The group’s ability to compromise third-party service providers—such as their alleged breach of T-Mobile’s ecosystem—demonstrates a sophisticated approach to expanding their attack surface and increasing their chances of success.
MITRE Tactics and Techniques
Initial Access:
Exploit Public-Facing Application (T1190): Exploiting vulnerabilities in publicly accessible applications, such as Confluence Data Center and Server vulnerabilities, to gain initial access.
Spear Phishing (T1566): Targeting individuals within organizations with malicious emails to deliver payloads or gain credentials.
Execution:
Command and Scripting Interpreter (T1059): Utilizing scripts or command-line interfaces to execute malicious commands or payloads. This is relevant for running ransomware and other malicious software.
PowerShell (T1059.001): Leveraging PowerShell for executing commands or scripts that are part of their malware operations.
Persistence:
Create or Modify System Process (T1543): Modifying or creating system processes to ensure that their ransomware or other malware remains active on compromised systems.
Privilege Escalation:
Exploitation for Privilege Escalation (T1068): Exploiting vulnerabilities to escalate privileges within a compromised environment.
Defense Evasion:
Obfuscated Files or Information (T1027): Using techniques to obfuscate malware or ransomware code to avoid detection.
Indicator Removal on Host (T1070): Clearing or modifying logs and other indicators to avoid detection and analysis.
Credential Access:
Credential Dumping (T1003): Extracting credentials from compromised systems to further their access within the network.
Discovery:
Network Service Scanning (T1046): Scanning network services to identify and exploit vulnerable services within the target network.
System Information Discovery (T1082): Gathering information about system configurations and user accounts to better plan their attacks.
Lateral Movement:
Remote Desktop Protocol (T1076): Using RDP to move laterally across the network and access additional systems.
Collection:
Data Staged (T1074): Staging collected data for exfiltration, often found in the process of gathering and preparing stolen information for sale.
Exfiltration:
Exfiltration Over Web Service (T1567): Using web-based services to exfiltrate stolen data from compromised systems.
Impact:
Data Destruction (T1485): Using ransomware like Endurance to destroy or overwrite files, making data recovery difficult.
Ransomware (T1486): Encrypting or otherwise rendering data inaccessible to demand a ransom.