Full Report
Feras Albashiti faces 10 years after $20,000 in sales to undercover agent exposed ransomware ties A Jordanian national faces sentencing in the US after pleading guilty to acting as an initial access broker (IAB) for various cyberattacks.…
Analysis Summary
# Incident Report: Initial Access Broker Operations by Feras Albashiti (r1z)
## Executive Summary
Feras Albashiti, operating under the alias 'r1z', acted as an Initial Access Broker (IAB) facilitating access to at least 50 US companies in 2023. His operations were uncovered through an undercover FBI investigation where he sold network access, EDR-disabling malware,, and privilege escalation tools. The investigation exposed his ties to a prior ransomware attack causing $\$50$ million in losses to an unnamed manufacturer.
## Incident Details
- Discovery Date: May 19, 2023 (Initial contact with undercover agent)
- Incident Date: Crimes occurred/facilitated during 2023. Specific access sales occurred starting May 19, 2023.
- Affected Organization: At least 50 US companies (victims of subsequent attacks facilitated by the sales). One specific victim mentioned suffered $\$50$ million in losses due to ransomware.
- Sector: Undisclosed, but included organizations using specific firewall products.
- Geography: Albashiti resided in Georgia, USA, at the time of operations. Victims were stateside (US).
## Timeline of Events
### Initial Access (Sales Facilitation)
- Date/Time: May 19, 2023
- Vector: Advertising illicit access on a cybercrime forum.
- Details: Albashiti (as 'r1z') advertised sales of network access to companies primarily determined by their firewall vendor. The FBI agent purchased initial access for $\$5,000$.
### Lateral Movement (Buyer Action - Inferred)
- Date/Time: Immediately following purchase.
- Vector: Provided IP addresses, usernames, and instructions on how to bypass specific firewall products.
- Details: The IAB supplied the means for the buyer (FBI agent) to gain initial entry into victim networks.
### Data Exfiltration/Impact (Related Operation)
- Date/Time: Prior to May 2023 (Implied). Investigation revealed ties to an attack that occurred sometime before the IAB sting concluded.
- Vector: Ransomware deployment.
- Details: Albashiti was implicated in a prior ransomware attack on an unnamed US manufacturer resulting in $\$50$ million in losses.
### Detection & Response (Law Enforcement Action)
- Date/Time: Ongoing throughout 2023; Identification finalized using visa/email records. Extradition in July 2024. Sentencing scheduled for May 11, 2026.
- Vector: Undercover purchase and linkage via cross-referenced personal data (email, visa application, Google Pay).
- Details: The FBI purchased additional tools (\$15,000 for EDR-disabling malware and privilege escalation tools). A test connection to an FBI server revealed Albashiti's IP address, linking him to the $\$50$ million ransomware incident. US State Department records confirmed identity linkages.
## Attack Methodology
- Initial Access: Selling pre-established access points (likely validated credentials or vulnerable configurations) targeting systems protected by specific firewall vendors.
- Persistence: Not explicitly detailed for Albashiti's actions, but he sold EDR-disabling malware, suggesting this was a technique used by his buyers or a tool he provided for persistence.
- Privilege Escalation: Sold malware specifically designed for elevating user privileges to the undercover agent.
- Defense Evasion: Sold effective EDR-disabling malware to the undercover agent.
- Credential Access: Provided usernames as part of the initial access package.
- Discovery: The final sale allowed the agent to demonstrate capability by connecting to an FBI server, during which Albashiti's IP was captured.
- Lateral Movement: Provided instructions on bypassing firewalls to move from the initial access point into the internal network.
- Collection: Not detailed, implied subsequent stages by the buyers.
- Exfiltration: Not detailed, tied to prior ransomware operation.
- Impact: Facilitation of ransomware deployment leading to massive financial loss for at least one victim.
## Impact Assessment
- Financial: Associated directly with a prior ransomware event resulting in $\$50$ million in losses for one manufacturer. Albashiti himself received approximately $\$20,000$ from the undercover agent.
- Data Breach: Type and scope of data stolen from the 50 targeted companies is unknown.
- Operational: Operational disruption caused by the downstream ransomware attack was significant (\$50M loss implies major downtime).
- Reputational: Not publicly detailed, but significant exposure to the victims' enterprises.
## Indicators of Compromise
*Note: As the incident focuses on brokering access rather than a single network breach, most indicators relate to the broker's activity:*
- Network indicators (Defanged): Albashiti's IP address, captured during the test connection to the FBI server (Specific IP withheld).
- File indicators: EDR-disabling malware signatures (specific hashes withheld). Privilege escalation malware signatures (specific hashes withheld).
- Behavioral indicators: Advertising specific access methods based on firewall vendors on cybercrime forums under the alias 'r1z'.
## Response Actions
- Containment: Interdiction of further illicit sales via the ongoing undercover operation.
- Eradication: Criminal apprehension and extradition of Feras Albashiti in July 2024.
- Recovery: No details provided on remediation efforts for the 50 compromised networks or the manufacturer suffering the $\$50$ million loss.
## Lessons Learned
- Attribution linkage is crucial: Law enforcement successfully linked Albashiti to his criminal identity ('r1z') using seemingly innocuous personal data (visa application email, Google Pay linkage).
- Value of IABs: The incident highlights that Initial Access Brokers are a critical chokepoint for large-scale attacks like ransomware, necessitating proactive takedowns.
- Malware Supply Chain: The sale of specialized offensive tools (EDR-disabling and privilege escalation malware) demonstrates the modularity of modern cybercrime operations.
## Recommendations
- Enhanced External Monitoring: Organizations should monitor cybercrime forums and dark web marketplaces for chatter related to their specific technology stack (e.g., brands of firewalls used).
- Stronger Identity Hygiene: Segregate and limit the use of primary email addresses across high-risk activities (e.g., personal finance portals, visa applications, and anonymous forum registrations).
- Proactive Endpoint Defense: Ensure EDR solutions are configured to prevent modification or disabling by local processes or known malware techniques.