3 min Security

BlackBerry: ‘Amazon hosts malicious Cobalt Strike payloads’

BlackBerry: ‘Amazon hosts malicious Cobalt Strike payloads’

Initial access brokers are on the rise, cybercriminals professionalize and SMBs have a growing target on their back. That’s what BlackBerry’s research team concludes in the new BlackBerry Threat Report 2022.

Thee years ago, the Ponemon Institute surveys SMBs worldwide. It concluded that more than 70 percent of SMBs have been hit by a cyberattack at some point. 60 percent of the victims go out of business within six months.

Although three years is a long time, BlackBerry finds the numbers to be highly relevant. In its Threat Report 2022, the organization states that SMBs are an increasing target for cybercriminals.

This does not mean that large companies face diminishing risks. Cybercriminals are simply succeeding in carrying out a greater number of attacks. They’re professionalizing, working with industry-grade infrastructures and finding revenue models to invest in continuous development.

Criminal organizations are strikingly similar to those being robbed. Malicious payloads are even hosted by legitimate cloud providers. BlackBerry analyzed 7,000 Cobalt Strike Team Servers and 60,000 Beacons in the past year. In 2021, most Cobalt Strike payloads were hosted by Tencent Computing, a legitimate provider in Shenzhen, China. A sizable percentage ran on servers from Amazon and DigitalOcean.

Cobalt Strike, a framework for cyberattacks, is designed and purposed for pentesters. Ironically, cybercriminals use the framework to carry out actual attacks.

Zebra2104, professional initial access broker

In the past year, several organizations highlighted the rise of initial access brokers. BlackBerry stumbled upon the relatively new form of organized crime as well.

The Threat Research and Intelligence Team is currently investigating ‘Zebra2104’, a made-up name for an anonymous crime group. Zebra2104 manages an infrastructure used by multiple criminal organizations to distribute various payloads.

Initially, researchers thought the infrastructure was shared by three malware groups: MountLocker, Phobos and Promethium. Not a bad guess, since Ransomware-as-a-Service providers use shared infrastructures, and have been growing steadily in recent years.

The theory had one problem. Traditional ransomware groups deploy their payloads fairly quickly after an intrusion. There was quite a delay between intrusion and payload deployment on the investigated infrastructure. Hence, the researchers conclude that Zebra2104 specializes in intrusions via Cobalt Strike, after which ransomware attackers pay to deploy payloads in breached organizations. Zebra2104 is a textbook example of an initial access broker.


BlackBerry calls on organizations to implement a Zero Trust framework. “No one is safe”, the research team warns. The organization strongly advocates prevention through Extended Detection and Response (XDR) technology and the outsourcing of security through managed XDR teams.