Threat actors who serve as middlemen by breaching systems and then selling access to others, such as ransomware groups, are said to be assuming a growing role within the cybercriminal ecosystem.
The method of operation by these "initial access brokers" is flourishing during the pandemic as employees increasingly log into systems remotely, according to digital risk protection company Digital Shadows.
The company said it has been studying this class of criminal since 2016, but in the last year it has detected a notable increase in their activity and listings. Many criminal marketplaces have reorganized to bring such advertisements into dedicated sections and currently number some 500 in a snapshot that Digital Shadows has taken of the most popular forums. Many sellers have good feedback from other criminals, indicating their claims are genuine, the company said.
The average selling price for access is $7,100 with the price based on the organization's revenue, type of access sold, number of employees, and number of devices accessible. RDP (remote desktop protocol) access enables an attacker to take over a victim's computer and is the most common type listed, at 17% of the total. It also commands the highest average price of $9,800. RDP is a particular concern in the battle against ransomware, with an FBI spokesperson having stated that, "RDP is still 70-80% of the initial foothold that ransomware actors use." It is also believed to have been a factor in a recent breach at a Florida water treatment facility where attackers sought to remotely control the chemical levels in the supply, according to Dark Shadows.
Domain administrator access, which accounts for 16% of the listings, has an average price of $8,187. Listings for VPN access have flourished on the back of increased remote working trends, with access to an organization's network being offered for an average price of $2,871. This constitutes 15% of the total, with Citrix access (7%), control panel (6%), content management systems (5%), and shell access (5%) also advertised, the company said.
Rick Holland, CISO at Digital Shadows, said "The dramatic increase in remote working coupled with ransomware's commercial success has been a perfect storm of opportunity for initial access brokers. These actors are cashing in because of the flourishing demand and their specialization. They concentrate on one aspect of the cybercriminal ecosystem, gaining access to your network, and they do it very well. They then pass the baton on to other criminals and move on to their next target. Due to their ability to successfully compromise organizations of all sizes, initial access brokers' prominence has increased within the cybercriminal underground."