A cyberattack usually starts with access brokers who breach organizations and sell remote access to their criminal counterparts. Recently, they mostly went after the academic, government, and technology sectors.
Access brokers have established themselves as a pillar of cybercrime, facilitating myriad criminal activities. They sell access to threat actors for thousands of dollars, which are later used to breach organizations and spread ransomware.
Many threat actors have established relationships with big game hunting ransomware operators and affiliates of ransomware-as-a-service programs.
The CrowdStrike Intelligence team analyzed access brokers' advertisements posted since 2019 and identified trends in targeting preferences. Academic, government, and technology industries are the top targets for access brokers. They account for a combined 49% of the total advertisements.
Geographically, advertisements for access to the US-based entities far surpass those for all other countries, claiming 55% of the total. Organizations in Brazil and the UK secure second and third spots with 8% and 7%, respectively.
"Access with elevated privileges typically attracts a higher asking price, as does access to large corporations with higher annual revenues or advertisements by more-established access brokers. Some brokers auction the access, offering a "buy-it-now" price or attempting to encourage a bidding war," CrowdStrike said.
The sectors attracting the highest average asking price for access were government, financial services, and industrial and engineering organizations.
The government sector attracted an average asking price of $6,151, financial services - $5,855, the access to the academic sector was, on average, priced at $3,827.
"Organizations based in the US, the UK, and Canada attracted higher asking prices than other countries, reflecting the demand in targeting these locations. It is worth noting that the advertised price is not necessarily what's paid, and the majority of access brokers appear open to negotiation," CrowdStrike noted.
Recently, a cybersecurity company released a report about initial access brokers (IAB), saying that IABs usually breach an organization via remote desktop protocol (RDP) and/or virtual private network (VPN) applications. These applications are easy to compromise through default or stolen passwords obtained via brute force attacks.
"The use of RDP and VPN has greatly expanded since the beginning of the pandemic, without any major security improvements. Consequently, threat actors have been able to compromise these applications and drive more malicious activity," Digital Shadows said.
The company also looked at the median access prices. They concluded that these are relatively low and can become even lower while additional brokers furtherly saturate the market.
More from Cybernews:
Subscribe to our newsletter