Why hack when hackers are willing to sell guaranteed access to breached networks? Increasingly, cybercrooks agree they would rather outsource than bother with the tedium of actual network penetration, leading to a flourishing initial access market. Remote access to a victim's network now retails for an average price of $2,700, although about 40% of what's being sold goes for much less $500 to $1,000, noted in a report from cybersecurity firm Rapid7. Research is based on listings posted over a six-month period from July 1 to Dec. 31, 2024, to the dark web cybercrime forums Exploit and XSS, which are both Russian-language sites, as well as to the latest iteration of English-language marketplace BreachForums.[1]
Comparing 2024 to 2023, cybersecurity firm Group-IB reported seeing a 15% rise in the volume of access to breached networks being sold. Stolen credentials tied to North American organizations rose 43% in that timeframe, as well as by 41% for Latin America and 32% for Europe. Crooks who pay someone else to do the work of initial access work and who parlay their purchase into stealing data or unleashing ransomware inside a victim's network stand to earn many multiples of their initial access investment, if a victim pays a ransom. To entice buyers, many initial access brokers advertise the type of access available, as well as the breached organization's annual revenue. Breach companies' income averaged $2.2 billion, found Rapid7.
Across all listings, VPN access credentials occupied 24%, followed by credentials for remote desktop protocol access at 17%, domain admin at 6% and local admin at 5%. Rapid7 said the bottom rung of what's being offered involves only stand-alone VPN or RDP access, without any additional privileges, which accounted for 29% of all posts it examined. The researchers said that's the "best case scenario" for an organization hit by an initial access broker, since it doesn't bespeak deep access.
Brokers advertised an initial access vector paired with some type of privilege in 63% of the time. "An example of this would be a sale of RDP with domain user credentials, or perhaps a combination of VPN and an admin account," meaning they'd more thoroughly reconnoitered a victim's network, it said.
The remaining 9% of posts involved "bundle deals," mixing initial access vectors and types of privilege. "The main aspect of these bundles is that the broker is selling three or more compromised aspects of a business," Rapid7 said. "Perhaps they're selling RDP with RDweb" - Microsoft Remote Desktop Web Access, and domain user, or maybe it's Fortinet, meaning a known vulnerability in an edge device, with domain user and local admin." This counts as a worst-case scenario.
In many cases, "initial access brokers aren't intent upon finding a single way into an organization's network and then quickly exiting - they're making attempts to explore the networks they've infiltrated, and they're often succeeding," said Raj Samani, chief scientist at Rapid7. "By the time a threat actor logs in using the access and privileged credentials bought from a broker, a lot of the work has already been done for them. Therefore, it is not about if you're exposed, but whether you can respond before the intrusion escalates."
More than one attacker may use any given initial access, either because the broker sells it to multiple customers, or because a customer uses the access for one purpose, say, to steal data, then sells it on to someone else, who perhaps monetizes their purchase by further ransacking data and unleashing ransomware. "Organizations that unwittingly have their network access posted for sale on initial access broker forums have already been victimized once, and they are on their way to being victimized once again when the buyer attacks," the report says.
While the research provides insight into what is being bought and sold, and how much buyers might pay, not all initial access is sold in a public-facing manner. Ransomware-as-a-Service groups regularly advertise for initial access brokers who will work solely with the operation or at least give them the right of first refusal on all new access, in return for a set fee or cut of ransom payments. Other brokers may advertise a sample of access but conduct most of their business using end-to-end encrypted messaging services.
What's offered for sale highlights opportunities for victims to arrest such attacks before they can succeed. "Access brokers often create new local or domain accounts, sometimes with elevated privileges, to maintain persistence or allow easier access for buyers," says a recent report from cybersecurity firm Kela. For detecting such activity, "unexpected new user accounts are a major red flag."
So too is "unusual login activity" to legitimate accounts that trace to never-before-seen IP addresses or repeat attempts that only belatedly succeed, Kela said. "Watch for legitimate accounts doing unusual actions or accessing resources they normally don't; these can be signs of account takeover." Many organizations could prevent the reuse of stolen credentials sold by initial access brokers if they locked down other well-known attack vectors, such as by using multifactor authentication.
Chris Boyd, lead threat researcher at Rapid7, said initial access traced to valid accounts was unprotected by MFA in well over half of all cases the company responded to during the first three months of this year. Other initial access vectors include exploiting vulnerability or brute-forcing weak credentials, each accounting for 13% of initial access methods, followed by hackers accessing an exposed RDP service or remote monitoring and management tool, each accounting for 6% of incidents. Even if attackers don't use RDP to break in, abusing the service featured 44% of attacks the firm investigated.
Those initial access trends have remained virtually unchanged across many months, showing that so long as they succeed and especially due to the absence of MFA attackers have little incentive to change their tactics, Boyd said. "We expect to see no drop in popularity while businesses continue to leave easy inroads open and available to skilled and unskilled attackers," he said.
This article is shared with permission at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please contact the office directly at 1-844-492-7225 or feedback@redskyalliance.com
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122
[1] https://www.bankinfosecurity.com/initial-access-brokers-selling-bundles-privileges-more-a-29197
Comments