The average price of access to a compromised company's network is only $1,000, with credentials for virtual private networks (VPNs) and remote desktop protocol (RDP) servers the most common types of access sold, according to a new report that analyzes the results of a year-long survey of underground forums.
Access to large firms cost more and skewed the mean offering price to $5,400, threat intelligence firm KELA states in its report. Among the most expensive offers: access to an Australian firm with a half-billion dollars in revenue for 12 bitcoin (about $460,000) and access to a Mexican government agency for $100,000, the report says.
The number of access offerings for sale have declined overall, but the drop is unlikely to mean fewer sales, says Victoria Kivilevich, threat intelligence analyst at KELA.
"It doesn't mean that they have suddenly stopped activities," she says. "We think it means that the initial access brokers, the most successful ones, they found more ready buyers and so they are trading in private conversations, which is harder to be tracked by researchers."
The flourishing market for initial access to companies' networks highlights how cybercriminal groups continue to specialize in particular stages of the attack-chain pipeline. Initial access brokers (IABs) give attackers the ability to skip the first three stages of the cyber-kill chain. Rather than having to do reconnaissance to look for vulnerabilities, weaponize an attack against a particular security issue, and deliver that attack, cybercriminals can just purchase access to a company and exploit the network.
While KELA could not directly connect the sale of initial access to attacks on the compromised companies, the threat-intel provider did anecdotally make some likely connections. In February 2021, for example, the DarkSide group claimed to have compromised Gyrodata, a US technology firm, a month after an IAB sold access to the company. At the end of March, the Avaddon ransomware group claimed to have compromised a UAE steel supplier about three weeks after the supplier's credentials were sold online, KELA states in the report.
The access offer to a Mexican government agency, among the most expensive, was likely used by the LockBit ransomware group, KELA stated.
"Though researchers cannot always assess exactly how many attacks happened following the purchase of the initial network access on sale, [we were] able to analyze some examples to confirm the links between access for sale and ransomware attacks," KELA states in its report.
Initial network access is often through credentials for legitimate users on remote access systems — such as VPNs and remote management systems — but can also be the result of an exploited or compromised system, says Kivilevich.
"VPN- and RDP-based access continues to comprise the majority of initial access being put up for sale," she says. "But we are also seeing more so-called exotic or nontraditional access [that] nevertheless enable attackers to abuse and compromise the network."
Of the companies claimed to have been compromised by IABs, nearly 28% were in the United States, 6% in France, 4% each in the UK and Australia, 3.8% in Canada, and 3.5% in Italy.
Among other trends, IABs are trying to extract more value from their backdoors into companies' systems. Some of the brokers only sell access after stealing data from the companies. In one case, sellers offered domain admin access to Pakistani Airlines, then posted databases from the airline for sale a week later.
"[T]he actor took two different approaches to try and monetize, leveraging the network access to the airline’s network that he obtained to exfiltrate the company’s data," the report states.
While the IABs are quick to make a profit however they can, some industries were off-limits, especially healthcare firms. KELA detected signs that some brokers had deleted offers for access to healthcare companies after criticism from other members of the forums on which they posted.
While IABs have become more careful about what information they post online — in 99% of public listings, the IAB does not mention the compromised company's name — monitoring the online forums can still be a good source of intelligence, Kivilevich says.
"When you monitor them, you can sometimes determine whether they may have access and how they may be getting in," she says. "If someone is offering Citrix access and we determine which company, we can warn them."