Full Report
Authorities linked the 40-year-old to multiple crimes by tracing the email address he used for a cybercrime forum to the same account he used to apply for a U.S. visa in 2016. The post Jordanian national pleads guilty after unknowingly selling FBI agent access to 50 company networks appeared first on CyberScoop.
Analysis Summary
# Incident Report: Unauthorized Access Broker Activity (r1z)
## Executive Summary
A 40-year-old Jordanian national, Feras Khalil Ahmad Albashiti (alias "r1z"), operated as an access broker, selling unauthorized access to at least 50 company networks that he compromised in 2023. Access was gained by exploiting vulnerabilities in commercial firewall products. The investigation began through an undercover FBI operation on a cybercrime forum, leading to the discovery of linked criminal activities, including the sale of EDR-killing malware and privilege escalation tools. The suspect pleaded guilty to trafficking unauthorized access devices and credentials.
## Incident Details
- **Discovery Date:** May 2023 (when the undercover sale began) through ongoing investigation leading to arrest in July 2024.
- **Incident Date:** Compromises of 50 networks occurred in **2023**.
- **Affected Organization:** At least 50 victim company networks (unspecified).
- **Sector:** Multiple (implied, based on range of compromised networks, including U.S. territory government systems and U.S. manufacturing).
- **Geography:** Perpetrator operated from the Republic of Georgia at the time of sales; victims are global/U.S.-based.
## Timeline of Events
### Initial Access
- **Date/Time:** Pre-2023 (Access brokers typically gain access before they start selling.)
- **Vector:** Exploitation of **two commercial firewall products** in 2023.
- **Details:** Albashiti gained unauthorized entry into at least 50 company networks.
### Lateral Movement
- **Details:** Albashiti sold malware capable of **elevating internal user privileges** without authorization, suggesting post-exploitation maneuvering on victim networks.
### Data Exfiltration/Impact
- **Details:** The primary impact was the **sale of unauthorized network access** to at least 50 distinct victims. Additionally, the same actor was linked to a **ransomware attack against a U.S. manufacturing company in June 2023**, leading to at least $50 million in losses, and intrusions into **U.S. territory government systems**.
### Detection & Response
- **Detection:** Undercover FBI agent initiated contact via a cybercrime forum under the moniker “r1z” in **May 2023**.
- **Response Actions:** FBI established continuous communication for five months, purchasing access and malware samples. Linkage established between the cybercrime identity and the suspect’s 2016 U.S. visa application email. Suspect was **arrested in July 2024** and subsequently pleaded guilty.
## Attack Methodology
- **Initial Access:** Exploitation of vulnerabilities in **commercial firewall products**.
- **Persistence:** Not explicitly detailed, but implied through the sale of network access.
- **Privilege Escalation:** Sale and demonstration of **malware capable of elevating internal user privileges**.
- **Defense Evasion:** Sale and demonstration of **malware designed to turn off Endpoint Detection and Response (EDR) products** from three different companies.
- **Credential Access:** Not explicitly detailed, but the suspect trafficked unauthorized **login credentials**.
- **Discovery:** Use of a modified version of a **commercially available pentesting tool**.
- **Lateral Movement:** Implied through the use of privilege escalation tools.
- **Collection:** N/A (Focus was on selling access, not specific data collection by the broker himself).
- **Exfiltration:** N/A (The broker sold *access*, not data, although his buyers may have exfiltrated data).
- **Impact:** Facilitation of subsequent criminal activity, including ransomware attacks against other entities.
## Impact Assessment
- **Financial:** A linked ransomware victim reported **at least $50 million in losses**. The maximum fine for Albashiti is $250,000 (double the amount of gains/losses).
- **Data Breach:** Access sold to at least 50 networks and implied unauthorized access to U.S. territory government systems. Specific data volume unknown.
- **Operational:** Significant disruption to the manufacturing victim resulting in major financial loss.
- **Reputational:** Negative impact on trust in the targeted company networks and commercial firewall products.
## Indicators of Compromise
- **Network Indicators (Defanged):** IP address used to access the FBI server was previously linked to intrusions against U.S. territory government systems and a U.S. manufacturing company ransomware attack in June 2023.
- **File Indicators:** Custom malware sold capable of disabling EDRs; modified commercial pentesting tool.
- **Behavioral Indicators:** Actor operating under the moniker "r1z" on a cybercrime forum selling unauthorized network access.
## Response Actions
- **Containment:** Not explicitly detailed, but the investigation utilized an undercover agent to engage the threat actor through **May to July 2024**.
- **Eradication:** The primary response action was the **arrest of the suspect in July 2024** and securing his guilty plea.
- **Recovery:** Not detailed; recovery efforts would be incumbent upon the 50 victim organizations.
## Lessons Learned
- **Attribution Linkage:** Cross-referencing activity across disparate platforms (cybercrime forums vs. routine submissions like visa applications) is a highly effective tool for attribution, as the suspect reused a primary Gmail address for both since 2016/2018.
- **Access Broker Threat:** The specialization in selling initial access and tooling (like EDR-killing malware) represents a significant intermediate threat layer that enables subsequent complex attacks like ransomware.
- **Undercover Efficacy:** Long-term, persistent engagement by undercover law enforcement can yield significant evidence, including real-world demonstrations of the threat actor's malware capabilities against controlled environments (the FBI server).
## Recommendations
- **Proactive Firewall Monitoring:** Organizations utilizing the exploited commercial firewall products must immediately patch, audit configurations, and deploy heightened monitoring around perimeter defenses.
- **Anomaly Detection for Internal Tools:** Implement strict controls and monitoring around the use of commercial pentesting tools, particularly when associated with unauthorized privilege changes.
- **Defense in Depth for EDR:** Ensure that EDR solutions are not dependent on single defense layers; implement compensating controls against EDR disabling attempts.