Adversary Intelligence
mins read

BORN Group Supply Chain Breach: In-Depth Analysis of Intelbroker's Jenkins Exploitation

An in-depth analysis of the BORN Group supply chain breach, where IntelBroker exploited a Jenkins vulnerability to exfiltrate sensitive data, impacting multiple global clients

CloudSEK TRIAD
July 23, 2024
Green Alert
Last Update posted on
July 25, 2024
Proactive Monitoring of the Dark Web for your organization.

Proactively monitor and defend your organization against threats from the dark web with CloudSEK XVigil.

Schedule a Demo
Table of Contents
Author(s)
Coauthors image
CloudSEK TRIAD

Category: Adversary Intelligence

Industry:  Multiple

Motivation: Financial

Region:  Global

Source*:

B - Usually Reliable 

2 - Possibly true

Executive Summary

This report investigates a significant supply chain attack targeting IT service provider BORN Group. The threat actor, Intelbroker, exploited CVE-2024-23897 to breach BORN Group's systems, exfiltrating sensitive data from multiple clients.

Additionally, Intelbroker claims to have compromised the Market database as part of this supply chain attack, exposing personal information of approximately 196,000 individuals.

Victims:

Potential Primary Victim: 

Org Name: BORN Group

Domain Name: https://www.borngroup.com/ 

Who is BORN Group

BORN Group is a global digital marketing agency that specializes in digital transformation and commerce solutions. Established in 2011, it provides a range of services including creative design, content production, and technology integration for brands across various industries. BORN Group is known for its end-to-end solutions that enhance customer experiences and drive business growth. The company operates internationally, with offices in major cities around the world.

Secondary Victims: 

1stwave, Bank of Ireland, BTEC, Celcom, Delta Faucet, Frontier Saw Mills, Gourmet Egypt, Hitachi, Lindt Chocolate, Nestle, Reebok, TOPCON, Unilever

Sophisticated Attack on Born Group 

  1. Initial Access: Threat Actor exploits CVE-2024-23897 on an exposed Jenkins server.
  2. LFI Vulnerability Exploitation: Threat Actor uses CVE-2024-23897 (LFI vulnerability) to steal SSH keys.
  3. Access to GitHub: Threat Actor uses stolen SSH keys to access the GitHub repository of borngroup.com.
  4. Repository Dump: Threat Actor dumps all repositories from BORN Group’s GitHub.
  5. Infiltration of Other Victims: Threat Actor exploits hardcoded keys and secrets found in the source code to infiltrate other systems.

BORN Group as Primary Target

  • Shared Folder Structure: Consistent "born" folder naming conventions across multiple repositories suggest a centralized role for BORN Group in the affected environment.
  • Customer Overlap: The identification of incident victims as BORN Group clients reinforces the company's potential involvement as a primary target.

Exposed Vulnerable Server

The discovery of an exposed BORN Group server running vulnerable Jenkins software strengthens the hypothesis that the company was a direct target of the attack.

Threat Actor Profile - Intelbroker

Intelbroker is a highly active e-crime threat actor operating since at least October 2022. Primarily motivated by financial gain, Intelbroker specializes in data breaches, extortion, and operating as an access broker within the cybercriminal underground. The actor frequently targets high-profile organizations across various sectors, including government, telecommunications, automotive, and technology.

Modus Operandi

Intelbroker employs a multi-faceted approach to compromise targets and profit from stolen data:

  • Data Breaches: Breaching organizations to steal sensitive data, including customer PII, financial records, and proprietary source code.
  • Extortion: Leveraging stolen data to extort victims through threats of public disclosure or sale to other cybercriminals.
  • Access Brokerage: Selling access to compromised networks and systems, providing other threat actors with an entry point for further attacks.

Tools and Techniques

  • Endurance Ransomware: Intelbroker claims to have developed and operated the "Endurance" ransomware. This C#-based malware, acting more as a wiper, overwrites files with random data, renames them, and then deletes the originals. The source code for Endurance is publicly available on a GitHub repository believed to belong to the actor.
  • Exploiting Jenkins Servers: Intelbroker commonly targets exposed Jenkins servers, leveraging vulnerabilities for initial access and lateral movement within victim networks.
  • Third-Party Compromise: In at least one case involving T-Mobile (which the company denies), Intelbroker may have compromised a third-party service provider to gain access to the target organization's network.

Notable Claims and previous Activities:

  • Autotrader
  • Volvo
  • AT&T
  • Verizon
  • T-Mobile (disputed)

Indicators of Compromise (IoCs)

URLs 

  • http[:]//h44jyyfomcbnnw5dha7zgwgkvpzbzbdyx2onu4fxaa5smxrgbjgq7had.onion/
  • olx.id7423[.]ru
  • boxberry.id7423[.]ru
  • avito-rent.id7423[.]ru
  • 3inf[.]site

File Hashes (SHA256)

  • 600be5ab7f0513833336bec705ca9bcfd1150a2931e61a4752b8de4c0af7b03a
  • 8a3ca9efa2631435016a4f38ff153e52c647146e
  • 285e0573ef667c6fb7aeb1608ba1af9e2c86b452
  • 26727d5fceef79de2401ca0c9b2974cd99226dcb
  • dc7cb3bfdc236c41f1c4bbac911daaa2

Recommendations

  • Organizations using Jenkins should immediately patch their systems to address CVE-2024-23897.
  • Companies utilizing Born Group's services should conduct a thorough security audit to identify any potential compromises.
  • Review and strengthen access controls for all repositories, especially those containing sensitive information.
  • Implement multi-factor authentication (MFA) wherever possible to mitigate the risk of credential compromise.
  • Monitor for suspicious activity related to data access and exfiltration.

References

Author

CloudSEK TRIAD

CloudSEK Threat Research and Information Analytics Division

Predict Cyber threats against your organization

Schedule a Demo
Related Posts
No items found.

Join 10,000+ subscribers

Keep up with the latest news about strains of Malware, Phishing Lures,
Indicators of Compromise, and Data Leaks.

Take action now

Secure your organisation with our Award winning Products

CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.

CloudSEK XVigil

Digital Risk Protection platform which gives Initial Attack Vector Protection for employees and customers.

Learn more about XVigil
CloudSEK SVigil

Software and Supply chain Monitoring providing Initial Attack Vector Protection for Software Supply Chain risks.

Learn more about SVigil
CloudSEK SVigil

Creates a blueprint of an organization's external attack surface including the core infrastructure and the software components.

Learn more about BeVigil Ent
CloudSEK BeVigil

Instant Security Score for any Android Mobile App on your phone. Search for any app to get an instant risk score.

Learn more about BeVigil
Adversary Intelligence

min read

BORN Group Supply Chain Breach: In-Depth Analysis of Intelbroker's Jenkins Exploitation

An in-depth analysis of the BORN Group supply chain breach, where IntelBroker exploited a Jenkins vulnerability to exfiltrate sensitive data, impacting multiple global clients

Authors
CloudSEK TRIAD
CloudSEK Threat Research and Information Analytics Division
Co-Authors
CloudSEK TRIAD

Category: Adversary Intelligence

Industry:  Multiple

Motivation: Financial

Region:  Global

Source*:

B - Usually Reliable 

2 - Possibly true

Executive Summary

This report investigates a significant supply chain attack targeting IT service provider BORN Group. The threat actor, Intelbroker, exploited CVE-2024-23897 to breach BORN Group's systems, exfiltrating sensitive data from multiple clients.

Additionally, Intelbroker claims to have compromised the Market database as part of this supply chain attack, exposing personal information of approximately 196,000 individuals.

Victims:

Potential Primary Victim: 

Org Name: BORN Group

Domain Name: https://www.borngroup.com/ 

Who is BORN Group

BORN Group is a global digital marketing agency that specializes in digital transformation and commerce solutions. Established in 2011, it provides a range of services including creative design, content production, and technology integration for brands across various industries. BORN Group is known for its end-to-end solutions that enhance customer experiences and drive business growth. The company operates internationally, with offices in major cities around the world.

Secondary Victims: 

1stwave, Bank of Ireland, BTEC, Celcom, Delta Faucet, Frontier Saw Mills, Gourmet Egypt, Hitachi, Lindt Chocolate, Nestle, Reebok, TOPCON, Unilever

Sophisticated Attack on Born Group 

  1. Initial Access: Threat Actor exploits CVE-2024-23897 on an exposed Jenkins server.
  2. LFI Vulnerability Exploitation: Threat Actor uses CVE-2024-23897 (LFI vulnerability) to steal SSH keys.
  3. Access to GitHub: Threat Actor uses stolen SSH keys to access the GitHub repository of borngroup.com.
  4. Repository Dump: Threat Actor dumps all repositories from BORN Group’s GitHub.
  5. Infiltration of Other Victims: Threat Actor exploits hardcoded keys and secrets found in the source code to infiltrate other systems.

BORN Group as Primary Target

  • Shared Folder Structure: Consistent "born" folder naming conventions across multiple repositories suggest a centralized role for BORN Group in the affected environment.
  • Customer Overlap: The identification of incident victims as BORN Group clients reinforces the company's potential involvement as a primary target.

Exposed Vulnerable Server

The discovery of an exposed BORN Group server running vulnerable Jenkins software strengthens the hypothesis that the company was a direct target of the attack.

Threat Actor Profile - Intelbroker

Intelbroker is a highly active e-crime threat actor operating since at least October 2022. Primarily motivated by financial gain, Intelbroker specializes in data breaches, extortion, and operating as an access broker within the cybercriminal underground. The actor frequently targets high-profile organizations across various sectors, including government, telecommunications, automotive, and technology.

Modus Operandi

Intelbroker employs a multi-faceted approach to compromise targets and profit from stolen data:

  • Data Breaches: Breaching organizations to steal sensitive data, including customer PII, financial records, and proprietary source code.
  • Extortion: Leveraging stolen data to extort victims through threats of public disclosure or sale to other cybercriminals.
  • Access Brokerage: Selling access to compromised networks and systems, providing other threat actors with an entry point for further attacks.

Tools and Techniques

  • Endurance Ransomware: Intelbroker claims to have developed and operated the "Endurance" ransomware. This C#-based malware, acting more as a wiper, overwrites files with random data, renames them, and then deletes the originals. The source code for Endurance is publicly available on a GitHub repository believed to belong to the actor.
  • Exploiting Jenkins Servers: Intelbroker commonly targets exposed Jenkins servers, leveraging vulnerabilities for initial access and lateral movement within victim networks.
  • Third-Party Compromise: In at least one case involving T-Mobile (which the company denies), Intelbroker may have compromised a third-party service provider to gain access to the target organization's network.

Notable Claims and previous Activities:

  • Autotrader
  • Volvo
  • AT&T
  • Verizon
  • T-Mobile (disputed)

Indicators of Compromise (IoCs)

URLs 

  • http[:]//h44jyyfomcbnnw5dha7zgwgkvpzbzbdyx2onu4fxaa5smxrgbjgq7had.onion/
  • olx.id7423[.]ru
  • boxberry.id7423[.]ru
  • avito-rent.id7423[.]ru
  • 3inf[.]site

File Hashes (SHA256)

  • 600be5ab7f0513833336bec705ca9bcfd1150a2931e61a4752b8de4c0af7b03a
  • 8a3ca9efa2631435016a4f38ff153e52c647146e
  • 285e0573ef667c6fb7aeb1608ba1af9e2c86b452
  • 26727d5fceef79de2401ca0c9b2974cd99226dcb
  • dc7cb3bfdc236c41f1c4bbac911daaa2

Recommendations

  • Organizations using Jenkins should immediately patch their systems to address CVE-2024-23897.
  • Companies utilizing Born Group's services should conduct a thorough security audit to identify any potential compromises.
  • Review and strengthen access controls for all repositories, especially those containing sensitive information.
  • Implement multi-factor authentication (MFA) wherever possible to mitigate the risk of credential compromise.
  • Monitor for suspicious activity related to data access and exfiltration.

References