Unmasking Intelbroker: A Deep Dive into the BORN Group's Supply Chain Breach

An in-depth analysis of the BORN Group supply chain breach, where IntelBroker exploited a Jenkins vulnerability to exfiltrate sensitive data, impacting multiple global clients

Summary Overview

This detailed report delves into a significant supply chain attack that targeted the IT service provider, BORN Group. The cybercriminal group, Intelbroker, exploited the CVE-2024-23897 vulnerability, infiltrating BORN Group's systems and exfiltrating sensitive data belonging to multiple clients.

Intelbroker also claims to have breached the Market database in this attack, compromising personal data of around 196,000 individuals.

Affected Parties:

Primary Target:

• Organization: BORN Group

• Website: https://www.borngroup.com

Overview of BORN Group

BORN Group is a global agency specializing in digital marketing, transformation, and commerce solutions. Founded in 2011, it offers a wide range of services such as creative design, content production, and technology integration for brands across various industries. The company is renowned for its comprehensive solutions that enhance customer experiences and drive business growth, with a presence in major cities worldwide.

Secondary Victims:

1stwave, Bank of Ireland, BTEC, Celcom, Delta Faucet, Frontier Saw Mills, Gourmet Egypt, Hitachi, Lindt Chocolate, Nestle, Reebok, TOPCON, Unilever

Detailed Examination of the Attack

Initial Intrusion: Intelbroker exploited the CVE-2024-23897 vulnerability on an exposed Jenkins server.

LFI Vulnerability Exploitation: The group used this vulnerability to steal SSH keys, gaining unauthorized access.

GitHub Access: With the stolen SSH keys, Intelbroker accessed BORN Group's GitHub repository.

Repository Dump: They proceeded to dump all repositories from the BORN Group's GitHub.

Further Infiltrations: Intelbroker used hardcoded keys and secrets from the source code to infiltrate additional systems.

BORN Group as the Main Target

Consistent Folder Naming: The use of "born" in folder names across multiple repositories suggests a centralized role for BORN Group in the affected systems.

Client Overlap: The identification of victims as BORN Group clients points to the company's involvement as a primary target.

Exposed Vulnerable Server

The detection of an exposed server running a vulnerable Jenkins version adds weight to the theory that BORN Group was directly targeted.

Intelbroker Profile

Intelbroker is an active e-crime group since at least October 2022, known for data breaches, extortion, and acting as an access broker. The group targets high-profile sectors including government, telecommunications, automotive, and technology.

Operational Methods

Intelbroker uses a variety of methods to compromise targets and profit from stolen data:

• Data Breaches: The group steals sensitive information such as PII, financial records, and proprietary code.

• Extortion: They leverage stolen data to extort victims, threatening to disclose or sell the information.

• Access Brokerage: Intelbroker sells access to compromised systems, allowing other criminals to launch further attacks.

Tools and Techniques

Endurance Ransomware: Intelbroker is associated with the "Endurance" ransomware, a C#-based malware that acts more as a wiper, overwriting files with random data. The source code for this malware is publicly available on a GitHub repository linked to the group.

Jenkins Exploitation: The group frequently targets Jenkins servers, exploiting vulnerabilities for initial access and lateral movement.

Third-Party Compromise: In one disputed case involving T-Mobile, Intelbroker allegedly compromised a third-party service provider to gain network access.

Previous Activities and Claims:

• Autotrader

• Volvo

• AT&T

• Verizon

• T-Mobile (disputed)

Indicators of Compromise (IoCs)

URLs:

• http[:]//h44jyyfomcbnnw5dha7zgwgkvpzbzbdyx2onu4fxaa5smxrgbjgq7had.onion/

• olx.id7423[.]ru

• boxberry.id7423[.]ru

• avito-rent.id7423[.]ru

• 3inf[.]site

File Hashes (SHA256):

• 600be5ab7f0513833336bec705ca9bcfd1150a2931e61a4752b8de4c0af7b03a

• 8a3ca9efa2631435016a4f38ff153e52c647146e

• 285e0573ef667c6fb7aeb1608ba1af9e2c86b452

• 26727d5fceef79de2401ca0c9b2974cd99226dcb

• dc7cb3bfdc236c41f1c4bbac911daaa2

Recommended Actions

• Organizations using Jenkins should immediately patch their systems to mitigate CVE-2024-23897.

• Clients of BORN Group should conduct thorough security audits to check for potential compromises.

• Review and tighten access controls, especially for repositories with sensitive information.

• Implement multi-factor authentication (MFA) to reduce the risk of credential theft.

• Monitor for any unusual data access or exfiltration activities.
  

---

References

• *Intelligence source and information reliability - Wikipedia

• #Traffic Light Protocol - Wikipedia

How DeepDefend Can Help You Protect Against Supply Chain Breaches

Supply chain breaches, such as the one involving the BORN Group and Intelbroker, highlight the importance of proactive security measures. At DeepDefend, our Continuous Threat Exposure Management (CTEM) service helps organizations identify and address vulnerabilities before they can be exploited. Additionally, our Breach and Attack Simulation (BAS) service enables you to test your defenses against potential attacks, ensuring your systems are resilient against sophisticated threats. By leveraging our services, you can enhance your security posture and safeguard your organization against similar incidents. Ready to fortify your defenses? Click the button below to request a demo.