In cybercriminal communities, it’s an access seller’s market. The amount of posts and offers dedicated to monetizing network access has risen quite a bit over the last two years. Monetizing network access is not a new scheme, but the emergence of Ransomware-as-a-Service (RaaS) operators has created a market for these specialized actors called Initial Access Brokers (IABs), a term created by the cybersecurity vendor community to describe the individuals or groups who package and sell access to networks that are guaranteed to work. By outsourcing access, ransomware operators and affiliates can cut out the most time-consuming, laborious part of ransomware – getting into your network without being caught.
Ransomware’s impact has been heavily documented, but the rise of IABs points to the broader secret to its success: a thriving underground economy operating on many of the same principles as legitimate enterprises. Just like Fortune 500 companies, ransomware operators outsource critical business functions to specialized vendors. IABs supply the affiliates with access-as-a-service. They obtain access to organizations – mostly through previously breached credentials – and then package it for sale on the same underground forums frequented by RaaS affiliates.
So far in 2021, there have been more than 304 million ransomware attempts and more than $208M has been paid out in ransoms.
The IAB/RaaS interdependence perpetuates a disturbing trend. Outsourcing access gives IABs the freedom to weaponize – and monetize – user credentials while remaining largely immune to consequences. For security professionals, effectively stopping the surge of ransomware means thwarting IABs, which means stripping stolen credentials of value before they can be used for profit. By taking away their toys, they won’t be able to play as effectively.
Opportunities for Access Abound
So far this year, there have been more than 304 million ransomware attempts and more than $208M has been paid out in ransoms. The same factors that are fueling ransomware (a global pandemic, shift to remote working, increasing digitalization, and potentially even cyberinsurance policies) have opened up vast opportunities for IABs.
The direct consequence of the mass shift to remote work is an increase of exposed remote services, such as Remote Desktop Protocol (RDP). A majority of all ransomware attacks gain access to a victim’s network through a “backdoor” brute force approach that exploits weaknesses in RDP. Once found, exposed RDP can be accessed via stolen credentials or through password spraying (if unlimited logins are allowed). This has been the case for a while now, but remote work has made it worse – by expanding the attack surface that security professionals need to secure, brute force protection for RDP is just one more item piled on to a system administrator’s already overwhelming task list.
Since the start of the pandemic, organizations have accelerated their adoption of cloud applications, and in some cases, the business need to do so trumped the security requirements. As organizations become more reliant on the cloud for daily operations – and misconfigurations and human error remain prevalent – ransomware operators have recognized cloud data and infrastructure as prime targets because taking them down will cripple the business and increase the urgency to pay up to restore services quickly.
In both cloud adoption and RDP, business continuity has been prioritized, leading organizations to make cloud applications available without basic security features such as multi-factor authentication (MFA).
Once they find their way in, IABs poke around the network, at times attempting to escalate privileges or move laterally to access more information. They organize their access, tailoring it into a presentable product, and determine how much money they could get in the criminal market for that access. When they advertise on criminal forums, prices vary with the average for network access being around $5,400.
Negate the Stolen Credentials Threat Vector
Given the saturated nature of the RaaS market, prominence and notoriety are vital to success. For ransomware developers, this means increased pressure to succeed or be dropped by the affiliate, just like poorly performing influencers hawking supplements. This created a massive opportunity for IABs and an unintended consequence; by holding the keys that guarantee success, IABs occupy one of the most prominent spaces in the RaaS supply chain while maintaining the ability to skirt law enforcement.
At this point in the war on cybercrime, authorities have no reason to put resources toward stopping IABs, if they even know they exist. This means organizations are the ones who must thwart these lower-tier threat actors.
IABs have four common methods for ensuring success:
- Validating account credentials leaked in data breaches tied to specific corporate domains
- Exploiting vulnerabilities to gain access to compromised credentials
- Attacking exposed services (like VPN and RDP) that lack the proper security controls
- Purchasing access from an inside source
As long as criminals leverage stolen credentials to access accounts, organizations can use that same data to protect themselves. At SpyCloud, when we talk about disrupting criminals’ ability to profit, we essentially mean stepping in front of IAB groups and negating the value of stolen credentials. With the right solution, you can continuously check whether all user credentials, including your vendors’, show up in third-party breaches and underground marketplaces. Early detection enables quick action to reset those compromised credentials before they can be used as an entry point.
Preventing cybercriminals from getting access to your organization should always be the priority. By identifying exposed credentials and remediating them early, you effectively make it harder for IABs to sell anything of value.