According to new research published by KELA, the number of ads on popular underground hacker forums selling “network access” tripled in September 2020 when compared to the previous month. In the report, researchers documented 108 listings providing what has been termed “network access” to buyers. In total, the sellers were looking to make over 500,000 USD from the sale of access to compromised devices on networks. The average price asked for by the sellers came in at nearly 5,000 USD but the price was dependent on the type of access granted to a compromised network.
The sellers have been termed by researchers as “initial access brokers” with the term coming to mean a seller providing remote access to a machine in a compromised organization. This initial access market in the past seemed to be far more niche than it appears now as it provided other cybercriminals with a foot in the door or initial access to the network via several attack vectors including RDP compromise and SQL injection. By hacking the Remote Desktop Protocol (RDP) the attacker gains privileged access to the targeted machine, while SQL injection involves the attacker placing malicious code within queries to databases allowing the attacker to retrieve data they would not be typically allowed to see and assist with compromising the network.
In the past, the preference for cybercriminals was to buy this access from RDP shops or from botnet operators who had already compromised an organizations network. However, the rise in popularity of initial access brokers, seen in the drastic rise in ads placed selling such access, seems to be driven by a large number of vulnerabilities disclosed starting in the middle of 2019 affecting major networking devices and products. These vulnerabilities include flaws found in Pulse Secure and Fortinet VPN servers, Citrix network gateways, Zoho computer fleet management systems, to name a few.
In some instances, initial access brokers could directly sell the access granted to ransomware operators, and this did occur. However, many of those selling initial access do not have the connections to the major players on the ransomware scene and in some sense are forced to sell access on underground forums. This access could then be picked up by opportunistic attackers, ransomware affiliates is one example provided by researchers, who in turn allow more advanced cybercriminal organizations to complete the task. These more advanced players could be the number of human-operated ransomware gangs capable of holding large organizations ransom for exorbitant sums. Some enterprising initial access brokers would sell only sell access once they had gained higher privileges or admin privileges on a compromised network, enabling them to sell the access for a far higher price.
All in the name of Profit
As mentioned above the average price for this type of access was found to be nearly 5,000 USD, 4,960 USD to be more exact but the price variation varied wildly. The cheapest ad seen came in at 25 USD, while the most expensive weighed in at 102,000 USD. The level of privilege the access grants the attacker certainly has a bearing on the price, but another factor was the organization compromised. High profile compromises will cost the buyer the more, as is to be expected. This flexibility in pricing is also a result of buyers having their capabilities to escalate privilege themselves, in turn driving the price lower. Other ads saw price increases when the seller managed to gain more privileged access to a network. In one case the seller had initially achieved domain user access and charged a potential buyer 1,500 USD and later they managed to gain domain admin access effectively doubling the price.
Another factor in determining the value of the access granted was how much annual revenue the compromised organization raked in rather than the number of users or endpoint devices on the network. The higher the revenue, the more valuable the compromised network is perceived to be. Researchers believe that this emphasis on revenue is done to attract ransomware operators as it has been seen that gangs will tailor their ransom demands depending on how wealthy the victim is perceived to be. Further, modern ransomware operations are not dependant on the number of endpoints a network has but rather can effectively cripple an organization by encrypting critical infrastructure devices like servers and network drives.
KELA, which analyzed some of the highest-priced ads posted in September, said it found brokers peddling access to a major maritime and shipbuilding company, a Russian bank, a Turkish aviation firm, and a Canadian franchise company, with access for this victim's network being sold in just a few hours with the scales ranging from tens of thousands of dollars to just over a hundred thousand dollars. KELA researchers warn,
“Looking at the most expensive accesses, we can assume that initial access brokers are evolving and offering various ways to access the compromised networks besides the popular RDP method. It means that more and more software falls under attacks that ultimately lead to massive compromises and ransom demands, while actors selling the accesses are becoming an essential part of the Ransomware-as-a-Service ecosystem.”
Researchers advise organizations take the following steps to prevent falling victim to these brokers by,
“Initial access brokers’ public activity on cybercrime communities provides rare visibility into the inner workings of threat actors; this visibility should be leveraged by network defenders in order to understand the threat landscape and prioritize defense mechanisms accordingly. Proactively monitoring activities of such actors in darknet communities, patching the software, and educating employees is an approach that should be taken into service by all organizations that want to avoid the post-factum negotiations with the ransomware operators.”
The research conducted by KELA seems to have been verified from other events occurring on the cyber threat landscape. A recent research paper published by Accenture details how network access brokers are actively dealing with ransomware operators. According to Accenture buying network access points and already compromised ways to infiltrate a target system are rising in popularity, including the purchase of stolen credentials and vulnerabilities.
While the research conducted by both organizations points to slightly different types of network access, they seemingly confirm that the problem is on the rise. Also, Accenture’s findings on cost appear to mirror those of KELA, with the former finding that access was granted for anywhere between 300 USD and 10,000 USD with Citrix and VPN vulnerabilities been one avenue of compromise. Yet again RDP compromise is also featured prominently as a vector of compromise. As to the links with ransomware operators, researchers noted,
“Since the start of 2020 and the emergence of the now-popular ‘ransomware with data theft and extortion’ tactics, ransomware gangs have successfully utilized dark web platforms to outsource complicated aspects of a network compromise. A successful ransomware attack hinges on the development and maintenance of stable network access which comes with a higher risk of detection and requires time and effort. Access sellers fill this niche market for ransomware groups. As of September 2020, we actively track more than 25 persistent Network Access Sellers as well as the occasional one-off seller, with more entering the scene on a weekly basis. Network Access Sellers operate on the same forums as actors associated with the ransomware gangs Maze, Lockbit, Avaddon, Exorcist, NetWalker, Sodinokibi, and others.”
The growing problem is further confirmed by both research teams noting a rise in sellers as well as more prolific sellers becoming more active on several underground forums. To further complicate matters, and make it harder to defend against initial compromise, Accenture notes that a network access broker was selling access to networks granted by zero-day exploits unknown to vendors. The seller in question wanted 250,000 USD for the privilege which would mean only the hackers with deep pockets could afford access but worryingly the seller received several offers.
However, it seems none of the offers were agreed upon and the seller began to use the zer0-day themselves to grant access to companies that would later be sold on to buyers rather than the zero-day itself. Given the drastic rise in popularity is can be assumed that this trend will remain for the time being as more cyberattacks are dependent on gaining access to networks. As not all hackers have the skills required to do this themselves outsourcing access is a viable solution for those willing to pay for it.