Edge Editors, Dark Reading

March 21, 2024

5 Min Read
Classic red barn with a white horse seen through an open Dutch door in Lilburn, Georgia, USA
Source: Allen Creative / Steve Allen via Alamy Stock Photo

Question: How do we keep initial access brokers from selling access to our networks to any ransomware actors who wants it?

Ram Elboim, CEO, Sygnia: As ransomware continues to grow as a cyber threat, new specialization among cybercrime groups has given them an edge on efficiency. One of the fastest-growing areas of specialization involves operators that outsource the job of gaining access to victim networks to initial access brokers (IABs).

At the start of a ransomware attack, an attacker needs initial access to the targeted organization's network, which is where IABs come in. IABs tend to be lower-tier, opportunistic threat actors that systematically obtain access to organizations — often via phishing or spam campaigns — and then sell that access on underground forums to other actors, including ransomware-as-a-service (RaaS) affiliates. Those affiliates, which constantly need more access to organizations to remain active, increasingly rely on IABs to provide that access.

Also known as access-as-a-service, the ready-made access offered by IABs has become an integral part of the ransomware ecosystem. IABs provide the initial information ransomware groups need for penetration so that operators can quickly target a wider array of victims, access their networks, and move laterally until they gain enough control to launch an attack. It's an efficient model for perpetuating cybercrime, one that helps to fuel ransomware's growth.

How IABs Gain Access

IABs generally provide the easiest route to gaining network access, most often via virtual private networks (VPNs) or Remote Desktop Protocol (RDP) technology. Threat actors can exploit some of the many VPN vulnerabilities that researchers have discovered in recent years, or they can scan a network for open RDP ports and follow up with various techniques to obtain login information.

Overall, about two-thirds of the access types put up for sale on the Dark Web are RDP and VPN accounts that enable direct connections to victims' networks, according to Group-IB's "Hi-Tech Crime Report." Citrix access, various Web panels (such as content management systems or cloud solutions), and Web shells on compromised servers are less common. Leaked email credentials or infostealers' logs are also very popular, highly available, and cheap.

Ransomware operators use the Dark Web to buy credentials to penetrate targeted networks. Group-IB found that initial access offers more than doubled between 2021 and 2022, while the number of IABs increased by almost 50%. Prices for corporate access can start at just a few dollars and run up to hundreds of thousands of dollars for high-value targets.

The proliferation of dark-market credentials poses a great risk to cross-sector organizations worldwide. Whether the threats come from low-rank individual hackers or highly skilled cybercrime operations, organizations need to shore up their access protections.

Uncovering the Threat of Stolen Credentials

IABs and their RaaS affiliates need only one entry point to each targeted organization to initiate their attacks, and this gives them a distinct advantage. Any employee can unwittingly provide these threat actors with the access they need, whether through phishing scams, infostealer deployment, or other means. In some cases, threat actors can gain access to an employee's home computer, rather than an office workstation, and use it to get into the company's network. This makes mitigating the threat a very difficult challenge. But there are effective steps an organization can take.

We have observed dozens of ransomware incidents in which the root cause of the attack was stolen access credentials. In a large portion of these incidents, however, our threat intelligence team detected some of these leaked credentials by monitoring social media channels, Dark Web forums, and underground markets.

In one such incident, a client was hit with an extortion attack by one of the most significant ransomware groups. While initiating the investigation, our threat intelligence team identified a query for the victim's credentials in a malicious Telegram channel in which actors can request leaked data and get responses immediately through a bot. We later found out that the first evidence of the attacker's access to that network was identified only a few days after the request was submitted.

In another incident also related to a ransomware attack, our threat intelligence team detected a couple of infostealer logs offered in the Russian market that contained logins to the victim's assets. Once the team purchased these logs and analyzed them, they extracted leaked credentials belonging to a third-party vendor's employee, which the incident response team later found to be the root cause of the initial access.

Mitigating the Danger of Compromised Credentials

Early detection of this access data might have prevented at least some of these attacks, if those leaked credentials were discovered and neutralized quickly. Some countermeasures to mitigate credential compromises are available, starting with steps that are proven to protect against misuse of network identities:

  • Require multifactor authentication (MFA) across the enterprise. Mitigate MFA fatigue risks by adding context to push notifications, requiring a code, or offering alternative methods, such as TOTP (time-based one-time password) or Fast Identity Online (FIDO).

  • Allow access to corporate services only from corporate managed endpoints or networks.

  • Guide employees to avoid reusing personal passwords for corporate accounts. Consider providing them an enterprise password vault to help them manage the passwords.

  • Provision and detect anomalies in logon attempts to corporate assets. This may be achieved by leveraging built-in features of identity providers, such as Microsoft Entra ID and Okta.

  • Implementing SSO is highly recommended. SSO providers will usually have more security capabilities, though they are not necessarily tied to the risk of leaked credentials.

Organizations should also continuously monitor the Dark Web and Open Web for leaked employee credentials, as well as those of business partners whose access could be leveraged through third-party connectivity and shared assets. They should also search for indications of infostealers' logs stolen from compromised credentials and for data involving either employees or business partners.

When organizations find credentials for sale, they can change them so that the IABs are no longer able to use them for access. If the credentials can't be changed, organizations can at least detect access attempts and block them.

IABs are enabling ransomware's growth by taking care of the first step in an attack: gaining access. Organizations that take steps to secure their user identities can keep IABs from succeeding in these attacks.

About the Author(s)

Edge Editors

Dark Reading

The Edge is Dark Reading's home for features, threat data and in-depth perspectives on cybersecurity.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights