Initial access brokers have established themselves as a pillar of cybercrime in 2021
Initial access brokers (IABs) use remote desktop protocol and virtual private networks to breach organizations. As the IAB market becomes even more mature, its access prices are likely to become even cheaper.
“To say that 2021 was a turbulent year for security teams would be a massive understatement. Last year, we observed paralyzing ransomware operations against critical infrastructure, supply-chain attacks impacting hundreds of organizations, and state-sponsored espionage campaigns leaving no company — even those with expensive firewalls — feeling safe,” Stefano De Blasi from Digital Shadows said.
IABs are at the heart of cybercrime. They gain network access to vulnerable organizations, establish the access’s value, and then turn to cybercriminal forums to sell that access and cash in on their work.
“IABs have acquired a significant cybercriminal role by doing the technical, dirty work and providing others with a wealth of victims to compromise easily,” Digital Shadows said.
According to the recent Digital Shadows report, the rise of cybercrime has created a fertile ground for IABs.
The Photon Research Team, Digital Shadows’ external-facing security research team, observed a 57.45% growth in the number of IAB listings advertised in cybercriminal forums compared to 2020.
“IABs have acquired a significant cybercriminal role by doing the technical, dirty work and providing others with a wealth of victims to compromise easily. They are a symbol of cybercrime professionalization: a phenomenon that has malware commodity and task separation at its core. These actors are both victim and customer agnostic―something that makes them even more dangerous, from a certain point of view,” Digital Shadows said.
IABs primarily target the retail sector as it has many e-commerce sites with poor security. Other key industries widely targeted by IABs include technology and industrial goods. The US remains the country most targeted by the IABs.
IABs usually breach an organization via remote desktop protocol (RDP) and/or virtual private network (VPN) applications. According to the report, these applications are easy to compromise through default or stolen passwords obtained via brute force attacks.
“The use of RDP and VPN has greatly expanded since the beginning of the pandemic, without any major security improvements. Consequently, threat actors have been able to compromise these applications and drive more malicious activity,” Digital Shadows said.
The company also looked at the median access’s prices. They concluded that these are relatively low and can become even lower, and additional brokers furtherly saturate the market.
“We can see that web-shell is, on average, the most valuable initial access type overall. It also has a widespread, likely because of the range of privileges ascribed to web-shells. On the other hand, although RDP is the most common listing, its low median value likely indicates that most of its listings may often grant access to low-privileged machines,” Digital Shadows said.
Roger Grimes, Data-Driven Defence Evangelist at KnowBe4, once said that ransomware gangs, being under attack by law enforcement, are now exploring every opportunity to maximize the tools and access they have. They engage in crypto mining, conduct DDoS attacks, and become IABs themselves. They used to be buyers of access to compromised companies. Currently, ransomware gangs like Conti are selling access to organizations themselves.
However, Digital Shadows believes that the IABs play an increasingly important role in facilitating access for various threat actors because they are doing a dirty job.
“By outsourcing some malicious activity to IABs, threat actors can minimize the time it takes to identify and exploit a target of interest. They can also obfuscate their identity by avoiding many of the “noisier” steps associated with the earlier stages of the cyber kill chain,” Digital Shadows said.
More from CyberNews:
Subscribe to our newsletter