Selling access to networks is both a more significant and smaller business than you might imagine. One thing’s for sure: there’s big money being made by bad actors.
Growth of ransomware drives Initial Access Broker market
Thanks primarily to the growth of ransomware, the sale of access to compromised networks has become a criminal business sector of its own. The Initial Access Broker (IAB) market is where cybercriminals buy their way into a business network rather than doing the hard work themselves.
With prices of such access hitting a high of more than half a million dollars in one case, and some IABs thought to be working directly with criminal groups for a percentage of any ransom received, it’s a big business, alright.
One that, recent research would suggest, is dominated by just seven individual brokers on the dark market.
According to a white paper published by threat intelligence company Intsights, seven vendors across dark and deep web forums were the sources of a majority of compromised access offerings. For example, with the username of pshmm, one includes detailed listings the capabilities a buyer can expect; the transfer, delivery and execution of files, running of commands, disabling of security software, and access to the Active Directory amongst them.
Access credentials could be worth as much as $500,000
Intsights researchers found the pricing varied dramatically, ranging from $240 at the low end to $95,000 for access to a $1 billion revenue telecoms provider. Using the opening bids and buy it now prices of dark web IAB auctions, the average price was $10,000. However, research from another intelligence provider, KELA, found one example of ‘admin access’ to a $500 million revenue company network being offered for 12 BTC, or more than $500,000 at current rates.
“The diversified and specialist role of criminal access brokers is a growing and disturbing dark market trend,” Ian Thornton-Trump, CISO at threat intelligence specialists Cyjax, says. According to Thornton-Trump, there are four primary vectors used by criminal access brokers when putting together what he calls these target reconnaissance as-a-service packages.
- The validation of credentials exposed from a publicly disclosed data breach ensures that user IDs and passwords grouped around specific corporate domains yield access.
- The exploitation of a vulnerability that yields valid access credentials or allows gathering of credentials.
- A brute force attack on an exposed service that does not have a detection or mitigation control in place to prevent enumeration like Outlook Web Access, Virtual Private Network (VPN) or Remote Desktop Protocol (RDP.)
- The purchase of credentials/access from a current or former employee.
The last of these being a “lucrative cybercriminal play,” Thornton-Trump says, “as what happens next is up to the criminal actor that purchased the access and so allows the broker to be somewhat isolated from unwanted law enforcement attention.”
IAB threat mitigation advice
When it comes to mitigating the threat from these IABs, and as a result ransomware actors, Thornton-Trump is quite clear that the issue is approachable from a number of both proactive and reactive services and controls.
“Dark Web monitoring as part of a Cyber Threat Intelligence program to detect if some entity is selling credentials along with a service like Have I Been Pwnd to monitor public data breach exposure is the first place to start,” he says, “be prepared to disable accounts quickly and at the very least force password changes immediately.”
The next mitigation layer is to multi-factor authenticate all the things using secure web gateways, Thornton-Trump advises, “and get very aggressive with vulnerability management of devices and servers allowing access into the network.” Geo IP restrictions and access control lists can also help to protect exposed services.
Deploying security information and event management (SIEM) technology to catch brute-force attempts against services, and Web Application Firewalls for exposed web services, are also advised by Thornton-Trump. “Lastly, you can get offensive and deploy honeypots which may detect the credential validation attempts or brute-force attempts,” he says.
Thornton-Trump says that you should keep in mind that both nation state actors and cybercriminals will be after your credentials for espionage or a ransomware payday. “Either way you look at it,” he concludes, “credentials are the keys to your cyber castle.”