Last week, prominent cybercrime investigative journalist, Brian Krebs, published a story on the cybercriminal network access broker, Babam, a major seller of initial access credentials to ransomware groups over the past few years. The notorious Babam was discovered using Constella Intelligence’s investigative platform.
Krebs’s story explains that cybercriminal gangs that deploy ransomware rarely gain the initial access to the targets themselves, but instead purchase access from a cybercriminal broker like Babam. The broker provides these ransomware groups with remote access credentials such as usernames and passwords.
Using Constella’s cyber intelligence platform in coordination with others, Krebs was able to track the digital footsteps left by Babam, revealing email addresses, online account registrations, usernames, passwords, domains, and multiple data breaches.
Below: a rough mind map of the connections mentioned in Krebs’s story.
Tracking Cybercriminal Broker, Babam
When tracking Babam, Krebs reported:
“According to Constella, the email@example.com address was exposed in multiple data breaches over the years, and in each case it used one of two passwords: “lebeda1” and “a123456.”
Searching in Constella for accounts using those passwords reveals a slew of additional “bo3dom” email addresses, including firstname.lastname@example.org. Pivoting on that address in Constella reveals that someone with the name Vytautas Mockus used it to register an account at mindjolt.com, a site featuring dozens of simple puzzle games that visitors can play online.
At some point, mindjolt.com apparently also was hacked, because a copy of its database at Constella says the email@example.com used two passwords at that site: lebeda1 and a123456.”
Findings related to Babam in this story were acquired by performing research using Constella Hunter, a platform for investigating threat actors and unmasking attackers that helps users efficiently attribute identities and identify further intelligence across multiple data sources simultaneously. The tool is used by government and other public agencies, top financial services organizations, and many others. Hunter provides an intuitive user experience and has recently integrated new features specifically requested by customers to speed up investigations of threat actors.
The full story can be found on the well-known blog Krebs on Security, where American journalist and investigative reporter, Brian Krebs, covers online crime investigations along with the latest threats, security updates, and data breaches.
Hunter is a platform designed to improve the fraud investigation process to make it easier and quicker to stay ahead of threat actors and unmask attackers by helping users efficiently attribute identities and identify further intelligence across multiple data sources simultaneously to expose the true identity of threat actors.
“With Hunter, we uncovered the real identity of a bad actor that led us to a criminal group selling credentials from our financial institution in a matter of hours, saving us +$100M from identifying fraudulent credit cards.” – Security Executive at a Top 5 Global Bank