Malicious hackers who breach as many organizations as possible before going on to sell access to the highest bidder are playing a greater role in the global cybercrime ecosystem.
So-called ‘initial access brokers’ are exploiting the disruption to business processes and remote working caused by the Covid-19 pandemic to sell access to compromised enterprise networks for an average price of $7,100, according to a new study by Digital Shadows.
The threat intelligence firm’s study, published today (February 23), pulls focus on the burgeoning marketplace for readymade network access that has been obtained through the mass scanning of security vulnerabilities, such as insecure virtual private network (VPN) setups.
Digital Shadows, which has been studying the trade in illicit network access since 2017, has witnessed a huge spike in activity and listings on darknet marketplaces over the last 12 months.
Many criminal marketplaces have reorganized to bring such advertisements into dedicated B2C-style sections, with more than 500 such listings on various illicit forums logged by Digital Shadows.
Many sellers have good feedback from other criminals, suggesting that vendors are able to make good on their offers, as Digital Shadows reports:
The average selling price for access is $7,100 with the price based on the organization’s revenue, type of access sold, number of employees, and number of devices accessible. RDP [remote desktop protocol], access enables an attacker to take over a victim’s computer and is the most common type listed, at 17% of the total.
Compromised RDP credentials are often a vector of ransomware attacks.
Domain administrator access is also sought after and makes up 16% of the listings with an average price of around $8,200.
Listings of VPN access have increased, as more and more organizations have moved to remote working.
The average access price for compromised VPN setups comes in at around $2,900, according to Digital Shadows.
This constitutes 15% of the total dark web broker listings, although ads claiming to offer access to compromised Citrix environments, enterprise control panels, and web content management systems also feature heavily.
If ransomware distributors have partnered with particular initial access brokers then they are not advertising this fact, Digital Shadows told The Daily Swig.
“Digital Shadows has observed several ransomware operators actively recruiting initial access brokers (IABs) for their operations,” Stefano De Blasi, threat researcher at Digital Shadows, explained.
“However, no threat actors have publicly advertised a successful ongoing partnership with an IAB.”
“Therefore, while it is highly likely that ransomware operators use IABs to gain an initial foothold in a target, there is no publicly available intelligence to indicate who is working with whom,” he added.
Estimating the number of initial access brokers actively at work, much less how they are organized, is a tricky business.
“Our analysis of more than 500 listings published in 2020 indicate that more than 150 active IABs were operating in that timeframe,” De Blasi told The Daily Swig.
“These threat actors typically work as middlemen, providing other cybercriminals the initial access needed to conduct their operations.”
De Blasi concluded: “Technical sophistication levels can vary broadly among IABs, making it difficult to paint a uniform picture of their internal organizational structure and business model.”
Enterprise network defenders are far from powerless in combating the threat.
Digital Shadows has proposed mitigation strategies against each of the most exploited vulnerabilities. Check out the report for further details.