Threat Trends
4 mins
The cyberattack landscape is often referred to as an “industry” for a reason. There is a significant amount of money to be made from exploiting vulnerabilities but the way that cyberattackers make money from their exploits seems to be changing. Initial access sales are on the rise.
What are initial access sales?
Initial access sales are a form of cybercrime where threat actors, also known as Initial Access Brokers (IABs), sell access to a corporate network to other cybercriminals. The important issue here is the fact that, not long ago, a cybercriminal would be expected to carry out all elements of an attack themselves. The emergence of IABs demonstrates that this is not always the case anymore, with criminals happy to outsource the act of illegally gaining network access to IABs.
IABs usually have a relatively limited skillset. They don’t create malware or negotiate ransom demands. They simply sell network access and let other cybercriminals do the rest. This approach is proving to be hugely lucrative for IABs. Although the number of network access listings fell by 21% in Q2 of 2023, the cumulative price of these listings increased to $782,500. This means IABs were able to demand a higher average price for their sales.
The risks posed by IABs
Although recent data may indicate that the number of initial access sales has fallen in recent months, the overall trend suggests that sales are booming. Infosecurity Magazine reports that IAB activity doubled last year compared to 12 months prior. Researchers have speculated that the rise in remote working has contributed to the increase in the number of access listings being put up for sale.
IABs could be individual actors or part of a cybercrime collective. Either way, they focus on gaining illegitimate access to a corporate network before advertising it - usually on dark web forums - along with their asking price. They may also conduct some additional data harvesting to provide proof that they really have gained network access.
Some of the most common ways that IABs gain network access include phishing, brute forcing passwords, and exploiting other vulnerabilities:
- Phishing: The most common form of cybercrime, phishing usually involves the sending of spam emails asking the unwitting individual to hand over credentials that let IABs gain network access.
- Brute forcing passwords: This method simply describes when passwords are guessed correctly by cybercriminals. Usually, they employ some form of automated tool to guess internet-facing passwords.
- Other exploits: Cybercriminals are constantly on the lookout for vulnerabilities - and some of these will enable them to gain network access. These vulnerabilities may have been known to attackers for some time or newly discovered.
Some of the latest trends around initial access sales
The shift towards outsourcing illegitimate network access to IABs before moving on to further criminal exploits has resulted in the emergence of several trends. Research by cybersecurity firm KELA, for example, found that the most common type of access offered by IABs was via Remote Desktop Protocol (RDP), where vulnerabilities in the connections between clients, servers and virtual machines are exploited.
Some of the major IAB groups are also known - although individual identities remain hidden for obvious reasons. One of the biggest players is Br0k3r, which operates across several geographies. In June 2023, a marketplace managed by Br0k3r offering access to various networks was discovered. At the time, prices for the access listings started at 0.5 BTC, which is equivalent to around $15,000.
Another cybercrime group active on the notorious Russian dark web forum XSS is SelfZer0. As an IAB, SelfZer0 appears to focus largely on the US, with 38% of the network access listings it posted in Q2 of this year pertaining to that market. Collectively, the requested price of its lists totaled approximately $135,000.
The nature of the network being targeted by IABs has a major influence on how much listings can be priced for. As such, networks in the US, where many well-known, internet-facing companies are based, are the most commonly targeted. Although countries all over the world experience initial access attacks, 29.61% of networks targeted by IABs are in the US. Australia, Brazil, France, and India make up the rest of the top five, although some listings do not include the country where the network is based when they are put up for sale.
Trends are also visible in terms of the type of industry most likely to be targeted by an IAB. In the second quarter of 2023, the professional services sector was the most commonly affected industry. Manufacturing, technology and financial services were also frequently cited, although, again, not all network listings specified the industry in question.
Shut down the IAB revenue stream
The shift towards cybercriminals outsourcing the first stage of an attack emphasizes the importance of eliminating vulnerabilities from your network. If threat actors can’t gain initial access to your network, then an important revenue stream is shut off and you might save yourself from falling victim to subsequent attacks, whether ransomware, a man-in-the-middle attack or any other type of threat.
Because IABs are largely indiscriminate actors, businesses must ensure that every attack surface is defended. Every asset, known and unknown, should be considered as part of your cybersecurity program - particularly with digital transformation showing no signs of slowing. In fact, research by Mulesoft found that 97% of IT decision makers are involved in digital transformation projects.
But just because digital transformation maybe your company’s objective, don’t allow new technologies to introduce new vulnerabilities that might enable IABs to gain access to your network. Instead, reduce your risk by identifying threats and vulnerabilities in real time by adopting Continuous Threat Exposure Management (CTEM). Support network access for your workers - whether they are based in the office or remotely - and shut down access by IABs. Cut off cyberthreats at their source.
