How freelance crooks facilitate major corporate hacks


Some criminals make big bucks simply by helping out other crooks – selling them initial access to a company. And the number of companies that can be exploited in this way is far from being exhausted, a new report reads.

Crooks surf the dark web to find corporate credentials for sale. The more profitable the company is, the higher the price for initial access to it. But it’s totally worth it - having access to a big firm’s network allows criminals to target it with ransomware and data exfiltration, among other attacks designed to drain their accounts.

Those crippling attacks often start from initial access brokers (IABs) - threat actors trading valuable usernames and passwords on the darkest corners of the web.

Cyjax, a threat intelligence provider, scouted those corners and concluded that American firms are usually targeted. VPN access to companies’ networks is among the most advertised attack vectors, and no sector is immune, the pundit concluded.

“IABs have become a key component in the ransomware ecosystem. While some groups will have their own ‘in-house’ capabilities, these freelancers provide an efficient, reliable and trusted partner for many groups who can then focus on exploiting the access for financial gain,” Roman Faithful, Threat Intelligence Lead at Cyjax, is quoted as saying.

Ad on a Russian language forum

The price for initial access to a victim’s network varies mostly based on its revenue. Criminals charge less than $1,000 for companies' credentials with up to $1 million in revenue and approximately $6,000 for those making more than $1 billion.

Why? Well, the larger the company, the more at stake it is, and it is more likely to pay a ransom. Sitting on a great deal of personal data, intellectual property, and other valuable information, such a company is also subject to more regulation and faces huge fines for failing to protect that treasure trove.

Approximately one-third of all listings on the dark web concern US companies. This is not surprising, given that the country’s economy is the largest in the world. What is more, illicit Russian language forums even forbid targeting firms based in the former Soviet Union region and, unsurprisingly, are focused on countries that Russia perceives as its adversaries.

Remote Desktop Protocol (RDP) and VPN access to companies dominate the ads on the dark web. Interestingly, when a cybercriminal gets their hands on corporate VPN logs, they can’t instantly access company data. Often, they need to engage in further exploitation and infiltration activities to access the firm’s crown jewels.

“RDP and VPN are very common connection types used in corporate networks, so it is unsurprising to see these access types comprising almost 50 percent of IAB listings on cybercriminal forums,” the report reads.

The top ten vendors, accounting for roughly 40% of listings, are as follows:

1. SGL (6.1% of listings)

2. PirateJack (6%)

3. SASAKI2303 (5.4%)

4. DBLand (4.9%)

5. Sandocan (3.7%)

6. Alastor (2.6%)

7. DonaldBucks (2.2%)

8. Kio (2%)

9. TA55 (2%)

10. Ddarknotevil (1.6%)

“It's a growing market that shows no sign of slowing—the number of companies that can be exploited is nowhere close to being exhausted. While law enforcement has seen success in dismantling ransomware groups, it’s important not to forget those who open the door for their activities,” Roman Faithful said.