Who Is the Community Entry Dealer ‘Babam’? – Krebs on Safety


Hardly ever do cybercriminal gangs that deploy ransomware achieve the preliminary entry to the goal themselves. Extra generally, that entry is bought from a cybercriminal dealer who focuses on buying distant entry credentials — equivalent to usernames and passwords wanted to remotely hook up with the goal’s community. On this publish we’ll have a look at the clues left behind by “Babam,” the deal with chosen by a cybercriminal who has bought such entry to ransomware teams on many events over the previous few years.

For the reason that starting of 2020, Babam has arrange quite a few auctions on the Russian-language cybercrime discussion board Exploit, primarily promoting digital personal networking (VPN) credentials stolen from numerous corporations. Babam has authored greater than 270 posts since becoming a member of Exploit in 2015, together with dozens of gross sales threads. Nevertheless, none of Babam’s posts on Exploit embody any private data or clues about his id.

However in February 2016, Babam joined Verified, one other Russian-language crime discussion board. Verified was hacked a minimum of twice prior to now 5 years, and its person database posted on-line. That data reveals that Babam joined Verified utilizing the e-mail tackle “[email protected].” The newest Verified leak additionally uncovered personal messages exchanged by discussion board members, together with greater than 800 personal messages that Babam despatched or obtained on the discussion board over time.

In early 2017, Babam confided to a different Verified person through personal message that he’s from Lithuania. In just about all of his discussion board posts and personal messages, Babam will be seen speaking in transliterated Russian fairly than through the use of the Cyrillic alphabet. That is widespread amongst cybercriminal actors for whom Russian is just not their native tongue.

Cyber intelligence platform Constella Intelligence advised KrebsOnSecurity that the [email protected] tackle was utilized in 2016 to register an account at filmai.in, which is a film streaming service catering to Lithuanian audio system. The username related to that account was “bo3dom.”

A reverse WHOIS search through DomainTools.com says [email protected] was used to register two domains: bonnjoeder[.]com again in 2011, and sanjulianhotels[.]com (2017). It’s unclear whether or not these domains ever had been on-line, however the road tackle on each information was “24 Brondeg St.” in the UK. [Full disclosure: DomainTools is a frequent advertiser on this website.]

A reverse search at DomainTools on “24 Brondeg St.” reveals one different area: wwwecardone[.]com. Using domains that start with “www” is pretty widespread amongst phishers, and by passive “typosquatting” websites that search to siphon credentials from official web sites when folks mistype a site, equivalent to by chance omitting the “.” after typing “www”.

A banner from the homepage of the Russian language cybercrime discussion board Verified.

Looking out DomainTools for the telephone quantity within the WHOIS information for wwwecardone[.]com  — +44.0774829141 — results in a handful of comparable typosquatting domains, together with wwwebuygold[.]com and wwwpexpay[.]com. A special UK telephone quantity in a more moderen report for the wwwebuygold[.]com area — 44.0472882112 — is tied to 2 extra domains – howtounlockiphonefree[.]com, and portalsagepay[.]com. All of those domains date again to between 2012 and 2013.

The unique registration information for the iPhone, Sagepay and Gold domains share an e-mail tackle: [email protected]. A search on the username “bo3dom” utilizing Constella’s service reveals an account at ipmart-forum.com, a now-defunct discussion board involved with IT merchandise, equivalent to cell gadgets, computer systems and on-line gaming. That search reveals the person bo3dom registered at ipmart-forum.com with the e-mail tackle [email protected], and from an Web tackle in Vilnius, Lithuania.

[email protected] was used to register a number of domains, together with wwwsuperchange.ru again in 2008 (discover once more the suspect “www” as a part of the area identify). Gmail’s password restoration perform says the backup e-mail tackle for [email protected] is bo3*******@gmail.com. Gmail accepts the tackle [email protected] because the restoration e-mail for that devrian27 account.

In accordance with Constella, the [email protected] tackle was uncovered in a number of knowledge breaches over time, and in every case it used one among two passwords: “lebeda1” and “a123456“.

Looking out in Constella for accounts utilizing these passwords reveals a slew of further “bo3dom” e-mail addresses, together with [email protected].  Pivoting on that tackle in Constella reveals that somebody with the identify Vytautas Mockus used it to register an account at mindjolt.com, a website that includes dozens of easy puzzle video games that guests can play on-line.

In some unspecified time in the future, mindjolt.com apparently additionally was hacked, as a result of a replica of its database at Constella says the [email protected] used two passwords at that website: lebeda1 and a123456.

A reverse WHOIS search on “Vytautas Mockus” at DomainTools reveals the e-mail tackle [email protected] was utilized in 2010 to register the area identify perfectmoney[.]co. That is one character off of perfectmoney[.]com, which is an early digital foreign money that was fairly fashionable with cybercriminals on the time. The telephone quantity tied to that area registration was “86.7273687“.

A Google seek for “Vytautas Mockus” says there’s an individual by that identify who runs a cell meals service firm in Lithuania known as “Palvisa.” A report on Palvisa (PDF) bought from Rekvizitai.vz — an official on-line listing of Lithuanian corporations — says Palvisa was established in 2011 by a Vytautaus Mockus, utilizing the telephone quantity 86.7273687, and the e-mail tackle [email protected] The report states that Palvisa is lively, however has had no staff aside from its founder.

Reached through the [email protected] tackle, the 36-year-old Mr. Mockus expressed mystification as to how his private data wound up in so many information. “I’m not concerned in any crime,” Mockus wrote in reply.

A tough thoughts map of the connections talked about on this story.

The domains apparently registered by Babam over practically 10 years counsel he began off primarily stealing from different cybercrooks. By 2015, Babam was closely into “carding,” the sale and use of stolen fee card knowledge. By 2020, he’d shifted his focus virtually solely to promoting entry to corporations.

A profile produced by risk intelligence agency Flashpoint says Babam has obtained a minimum of 4 constructive suggestions evaluations on the Exploit cybercrime discussion board from crooks related to the LockBit ransomware gang.

The ransomware collective LockBit giving Babam constructive suggestions for promoting entry to totally different sufferer organizations. Picture: Flashpoint

In accordance with Flashpoint, in April 2021 Babam marketed the sale of Citrix credentials for a global firm that’s lively within the discipline of laboratory testing, inspection and certification, and that has greater than $5 billion in annual revenues and greater than 78,000 staff.

Flashpoint says Babam initially introduced he’d bought the entry, however later reopened the public sale as a result of the potential purchaser backed out of the deal. A number of days later, Babam reposted the public sale, including extra details about the depth of the illicit entry and decreasing his asking value. The entry bought lower than 24 hours later.

“Based mostly on the offered statistics and delicate supply reporting, Flashpoint analysts assess with excessive confidence that the compromised group was seemingly Bureau Veritas, a company headquartered in France that operates in a wide range of sectors,” the corporate concluded.

In November, Bureau Veritas acknowledged that it shut down its community in response to a cyber assault. The corporate hasn’t mentioned whether or not the incident concerned ransomware and if that’s the case what pressure of ransomware, however its response to the incident is straight out of the playbook for responding to ransomware assaults. Bureau Veritas has not but responded to requests for remark; its newest public assertion on Dec. 2 offers no further particulars about the reason for the incident.

Flashpoint notes that Babam’s use of transliterated Russian persists on each Exploit and Verified till round March 2020, when he switches over to utilizing largely Cyrillc in his discussion board feedback and gross sales threads. Flashpoint mentioned this could possibly be a sign {that a} totally different particular person began utilizing the Babam account since then, or extra seemingly that Babam had solely a tenuous grasp of Russian to start with and that his language abilities and confidence improved over time.

Lending credence to the latter principle is that Babam nonetheless makes linguistic errors in his postings that counsel Russian is just not his unique language, Flashpoint discovered.

“Using double “n” in such phrases as “проданно” (appropriate – продано) and “сделанны” (appropriate – сделаны) by the risk actor proves that this fashion of writing is just not potential when utilizing machine translation since this might not be the right spelling of the phrase,” Flashpoint analysts wrote.

“A majority of these grammatical errors are sometimes discovered amongst individuals who didn’t obtain ample training in school or if Russian is their second language,” the evaluation continues. “In such circumstances, when somebody tries to spell a phrase appropriately, then accidentally or unknowingly, they overdo the spelling and make all these errors. On the similar time, colloquial speech will be fluent and even native. That is typically typical for an individual who comes from the previous Soviet Union states.”

Leave a Reply

Your email address will not be published. Required fields are marked *