KEEPNET LABS > Blog > Google Discovers the Initial Access Broker Behind the Conti Ransomware Which Infiltrates Organizations Using Phishing

Google Discovers the Initial Access Broker Behind the Conti Ransomware Which Infiltrates Organizations Using Phishing

Google’s Threat Analysis Group (TAG) took the wraps off a new initial access broker that it said is closely affiliated to a Russian cyber crime gang notorious for its Conti and Diavol ransomware operations.

Due to the conflict between the two countries, various cyber attacks dec Russia and Ukraine have been carried out. However, nowhere is this incident related to cyberattacks. The hacker managed to break into the Regional Ministry of Health of Russia without complex techniques and methods.

Known by the nickname “Spielerkid89”, he was able to manage a system belonging to the Regional Ministry of Health of Russia. He claimed that he did not do this intentionally for bad purposes. However, he gave an excellent example of how a government organization is vulnerable due to poor security practices.

Russia, known for its destructive capabilities in the field of military and cyber defense, was vulnerable to something they would never have thought of. As the facts prove, Russia is preparing to get rid of the global Internet.

Google discovers the initial access broker behind the Conti ransomware, who infiltrates organizations using phishing.

The Hack

The hacker chose to remain anonymous regarding his personal identity. Spielerkid89 was working on a series of scans of vulnerable IP addresses belonging to Russia. He used the Shod Dec search engine, which was widely used by the attackers. He was able to find an open Virtual Network computing (VNC) port where authentication was disabled.

VNC is widely used by people working in remote places. Technically, VNC is used to access a work computer from home or anywhere else. Usually, it includes an authentication method for specifying the user name and password set by the system administrator. Systems assigned specifically to employees are configured using VNC authentication, and their users are provided with credentials. As can be understood from the reports of the Russian ministry, it seems that there was no authentication in the system on the VNC port detected by Spielerkid89. This led to full control over the system, where he could see the files and other things that were in the system.

“I was able to access people’s names, other IP addresses pointing to other computers on the network, and financial documents” – Spielerkid89

As proof of his attack, the hacker also released a screenshot.

A malevolent hacker could take use of this flaw in any way he wanted, including ransomware, moving inside the network laterally, stealing critical information, and even deploying malware.

Our Newsletter

Sign up to learn about the latest threats, hacking methods, and news.