Cybercrime Ransomware's Helper : Initial Access Brokers Flourish

upnorth

Moderator
Verified
Staff member
Malware Hunter
Jul 27, 2015
4,292
ransomwares-little-helper-initial-access-brokers-flourish-showcase-image-10-p-2987.jpg


Quote : " To take down bigger targets more easily and quickly, ransomware gangs are increasingly tapping initial access brokers, who sell ready access to high-value networks. On average, such access is sold for $1,500 to $2,000, says Victoria Kivilevich, a threat intelligence analyst at Israeli cyberthreat intelligence monitoring firm Kela. "For such a sum, threat actors usually offer domain admin-type of access to medium-sized companies with hundreds of employees," she says.

Using initial access brokers enables attackers to avoid the time-consuming, laborious process of finding victims and attempting to hack them. Instead, they can see a menu of potential victims and pay for remote access credentials that are guaranteed to work. Kivilevich writes in a new report from Kela that over the last three months of 2020, she counted 242 initial network access offers for sale across three cybercrime forums with a total asking price of $1.2 million. During that time frame, Kivilevich says, the average price per access was $6,684, the median price was $1,500 and the highest single price listed was 7 bitcoins, which at the time could have been worth about $130,000. But 24% of offers didn't list a price. While the number of access offers being sold declined from month to month, Kivilevich says that many are now "being traded in private conversations," which makes it difficult to ascertain the quantity and selling price of everything that's being sold.

Types of Access​

The most common types of access being sold - comprising 45% of what's publicly on offer - are credentials for remote desktop protocol or VPNs; details of a vulnerability in the victim's system that facilitates remote code execution, aka RCE; and access to Citrix products, Kivilevich says. Using RDP or VPN to gain access, "an intruder can move laterally and eventually can succeed in stealing sensitive information, executing commands and delivering malware," she says. "The RCE vulnerability type of initial access is usually limited to the ability to run code using a specific vulnerability, which allows actors to pivot further within the targeted environment." But in about half of all listings, initial access brokers don't specify what type of access they're selling - or they may just list the level of access that a buyer could gain, such as "admin or user, local or domain," she says. In other cases, brokers sell remote access to remote control software, such as ConnectWise and TeamViewer, running in a victim's organization, she says, "which provide actors with RDP-like capabilities."
kela-connectwise-listing.jpg

Big Game Hunting​

Security experts say demand for initial access brokers' services has been surging. Using these brokers can help gangs more quickly take down larger targets via what's known as big game hunting. Historically, initial access brokers advertised their services on cybercrime forums and marketplaces. Some brokers appear to have long-term relationships with certain ransomware gangs, affiliates or middlemen, and offer them first right of refusal before making access offers available to others, Kela's Kivilevich says. But late last year, she reported seeing a reversal: The Darkside ransomware operation posted that it was actively seeking new partners who could give it access to U.S. businesses with annual revenue of at least $400 million. "

Full source :
 

upnorth

Moderator
Verified
Staff member
Malware Hunter
Jul 27, 2015
4,292
If it only was that simple. Sadly it ain't.
 
Top