Buddy, Can you Spare $25.00?

9893535852?profile=RESIZE_400xIn the US Great Depression, there was a song called, ‘Brother, can you spare a Dime.”  Now it is $25.00.  In 2021, there has been a surge in cyber criminals selling access to compromised corporate networks as hackers look to cash in on the demand for vulnerable networks from gangs looking to initiate ransomware attacks.  Some access has been offered at only $25.00.  How would you feel if your organization’s network access was on the “Bargain Rack?”

Researchers at cybersecurity company Group-IB analyzed activity on underground forums and said there has been a sharp increase in the number of offers to sell access to compromised corporate networks, with the number of posts offering access tripling between 2020 and 2021.   Cyber groups are claiming to offer access to compromised Virtual Private Network (VPN) and Remote Desktop Protocol (RDP) login credentials, as well as web shells, reverse shells, Cobalt Strike penetration testing tools and more.    With this access, cyber criminals can access a company's networks and attempt to gain access to usernames and passwords or administrator rights which allow them to gain further control over the network.[1]

On the underground forums being analyzed, the number of offers to sell access to corporate networks went up from 362 to 1,099, a rise of three times in just a year and the report warns that increase is "one of the clearest trends on underground forums."  Some of the most common industries to which access is being offered to include manufacturing, education, financial services and healthcare.

The cost of access varies greatly and can sometimes be offered for a few dollars to a few thousand dollars.  Making this purchase very attractive to a ransomware crew, who could make this amount back many times over from a successful attack.  There appears to be a direct correlation between access value and the victim's company revenue the higher the revenue, the higher the access purchase price.

One of the key reasons there has been an increase in sellers is because there is a demand, which is being driven by the growth in ransomware attacks.  Ransomware groups need access to networks and buying access is easier and less time consuming than compromising networks themselves.  "Ransomware operators are the main "customers" of initial access brokers' (IAB) services," stated the head of cybercrime research at Group-IB.  "This unholy alliance of IABs and ransomware operators as part of Ransomware-as-as-a-Service affiliate programs has led to the rise of the ransomware empires," they added.

Another reason for the growth of initial access markets is because there is a relatively low skills threshold for engaging in this sort of cyber-crime.  These less sophisticated cyber criminals can use phishing attacks or buy off-the-shelf malware to steal information.

The report also suggests that gaining this initial access has got easier due to the rise in remote working because of the pandemic, which has resulted in many organizations unintentionally using insecure or misconfigured applications which cyber criminals can easily exploit.  If there are insecure networks which can be accessed and a demand from other cyber criminals to buy access to those networks, the rise of the access broker market looks very promising.

"We expect the number of brokers and initial access offers to grow.  As the supply increases to meet the demand, we expect the price of initial access to corporate networks to decrease," said researchers.  "Ransomware will remain the main way to monetize access to corporate networks because it provides the highest possible return on investment for IABs," they added.

There are measures which organizations can take to help avoid cyber criminals breaching the network and gaining access to credentials.  Some of these measures include:

  • Installing software updates and security patches on a regular and timely basis to protect against known vulnerabilities.
  • Encouraging the use of strong passwords which are difficult to breach in brute force attacks.
  • Applying multi-factor authentication to accounts so that if credentials are compromised, there will be limited opportunities for attackers to exploit them.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.   For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com     

Weekly Cyber Intelligence Briefings:

Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings

https://attendee.gotowebinar.com/register/3702558539639477516

[1] https://www.zdnet.com/article/theres-been-a-big-jump-in-crooks-selling-access-to-hacked-networks-ransomware-gangs-are-their-best-customers

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!