The average price for accessing a compromised company’s network is only $ 1,000, with credentials for Virtual Private Networks (VPNs) and Remote Desktop Protocol (RDP) servers being the most common. most common types of access sold, according to a new report that analyzes the results of a year-long survey of underground forums.
Access to larger companies cost more and skewed the average bid price to $ 5,400, threat intelligence firm KELA says in its report. Among the more expensive offers: access to an Australian company with half a billion dollars in revenue for 12 bitcoins (around $ 460,000) and access to a Mexican government agency for $ 100,000, the report says.
The number of access offerings for sale has declined overall, but that drop is unlikely to translate into lower sales, says Victoria Kivilevich, threat intelligence analyst at KELA.
âIt doesn’t mean that they suddenly stopped their activities,â she said. “We believe this means that the top performing initial access brokers have found more ready buyers and are therefore negotiating in private conversations, which is more difficult for researchers to follow.”
The flourishing market for initial access to corporate networks shows how groups of cybercriminals continue to specialize in particular stages of the attack chain. Initial Access Brokers (IABs) give attackers the ability to bypass the first three stages of the cyber-kill chain. Rather than having to scout for vulnerabilities, arm an attack against a particular security issue, and launch that attack, cybercriminals can simply buy access to a business and exploit the network.
While KELA was unable to directly connect the sale of initial access to attacks against compromised companies, the threat intelligence provider anecdotally established probable connections. In February 2021, for example, the DarkSide group claimed to have compromised Gyrodata, an American tech company, a month after an IAB sold access to the company. In late March, ransomware group Avaddon claimed to have compromised a steel supplier in the United Arab Emirates about three weeks after selling supplier credentials online, KELA said in the report.
The most expensive Mexican government agency access offer was likely used by ransomware group LockBit, KELA said.
âWhile researchers cannot always accurately estimate the number of attacks that occurred after the initial network access was purchased for sale, [we were] able to analyze a few examples to confirm the links between access for sale and ransomware attacks, âsays KELA in its report.
Initial network access is often done through the credentials of legitimate users on remote access systems, such as VPNs and remote management systems, but can also be the result of an exploited system. or compromise, says Kivilevich.
âVPN and RDP-based access continues to account for the majority of the initial access offered for sale,â she says. “But we are also seeing more so-called exotic or non-traditional access [that] nevertheless allow attackers to abuse and compromise the network. “
Of the companies allegedly compromised by IABs, nearly 28% were in the United States, 6% in France, 4% each in the United Kingdom and Australia, 3.8% in Canada and 3.5% in Italy.
Among other trends, IABs are trying to extract more value from their backdoors in corporate systems. Some brokers only sell access after stealing data from companies. In one case, the sellers offered domain administrator access to Pakistani Airlines, then put the airline’s databases up for sale a week later.
“[T]The actor has taken two different approaches to try to monetize, taking advantage of the network access to the airline’s network that he has obtained to exfiltrate company data, âthe report said.
While IABs quickly turn a profit as they can, some industries were banned, especially healthcare companies. KELA has detected signs that some brokers have removed offers of access to healthcare companies after criticism from other members of the forums they posted to.
While IABs have become more cautious about what information they post online – in 99% of public listings, the IAB does not mention the name of the compromised company – monitoring online forums can still be a good idea. source of information, says Kivilevich.
âWhen you watch them, you can sometimes determine if they can access them and how they can get in,â she says. “If someone offers Citrix access and we determine which company, we can notify them.”