Exotic Lily: Exposing initial access broker with ties to Conti


In early September 2021, Threat Analysis Group (TAG) observed a financially motivated threat actor we refer to as EXOTIC LILY, exploiting a 0day in Microsoft MSHTML (CVE-2021-40444). Investigating this group’s activity, we determined they are an Initial Access Broker (IAB) who appear to be working with the Russian cyber crime gang known as FIN12 (Mandiant, FireEye) / WIZARD SPIDER (CrowdStrike).

Initial access brokers are the opportunistic locksmiths of the security world, and it’s a full-time job. These groups specialize in breaching a target in order to open the doors—or the Windows—to the malicious actor with the highest bid.

EXOTIC LILY is a resourceful, financially motivated group whose activities appear to be closely linked with data exfiltration and deployment of human-operated ransomware such as Conti and Diavol.

Read more…
Source: Threat Analysis Group