Google’s Threat Analysis Group (TAG) has new initial access broker that it alleges is closely affiliated to a Russian cyber-crime gang infamous for its Conti and Diavol ransomware operations.
The financially motivated threat actor, dubbed Exotic Lily, has been detected exploiting a recently patched critical flaw in the Microsoft Windows MSHTML platform (CVE-2021-40444).
The exploit is part of phishing campaigns involving 5000 business proposal-themed emails every day to 650 targeted, global organisations.
“Initial access brokers are the opportunistic locksmiths of the security world, and it’s a full-time job,” TAG researcher Vlad Stolyarov said. “These groups specialise in breaching a target in order to open the doors — or the Windows — to the malicious actor with the highest bid.”