Names such as Novelli, orangecake, Pirat-Networks, SubComandanteVPN, and zirochka are unlikely to mean anything to a vast majority of enterprise security teams. But for ransomware operators and other cybercriminals looking for quick access to enterprise networks, these were the brokers to approach for a major portion of last year.
Between them, the five entities accounted for some 25% of all access offers to enterprise networks that were available for sale on underground forums between the second half of 2021 and the first half of 2022. For an average price of around $2,800, these so-called initial access brokers (IABs) sold stolen VPN and remote desktop protocol (RDP) account details and other credentials that criminals could use to break into the networks of more than 2,300 organizations around the world, without breaking a sweat.
A Vast & Growing Marketplace
The five operators were the leaders in a much bigger and fast-growing market of hundreds of other similar IABs that security firm Group-IB discovered when conducting research for its 11th annual report on high-tech crime, released this week.
The company's research showed a sharp year-over-year growth in the number of IABs operating in underground forums and markets — from 262 in the immediately preceding 12-month period to 380 in the period between the second half of 2021 and the first half of 2022. Some 327 of the IABs that Group-IB observed operating during that period were new entries in the space.
Group-IB researchers also uncovered a 41% increase in the number of countries to which compromised entities belonged — from 68 a year earlier to 96 over the period of its study. Nearly a quarter — 24% — of all initial access offers involved the networks of US-based organizations. Other countries with a relatively high number of victims included Brazil, Canada, France, and the UK.
"As access sales continue to grow and diversify, IABs are one of the top threats to watch in 2023," warned Dmitry Volkov, CEO of Group-IB, in a statement accompanying the new report.
"Initial access brokers play the role of oil producers for the whole underground economy," he noted. "They fuel and facilitate the operations of other criminals, such as ransomware and nation-state adversaries."
"Opportunistic Locksmiths of the Security World"
The value proposition of IABs in the cybercrime economy is that they give other cybercriminals a way to gain an easy foothold on a target network without their having to do any legwork upfront. IABs do the technical work of breaking into a network and stealing credentials — such as those associated with VPNs, RDP services, Active Directory, and remote management panels — that provide subsequent access to it. Often, they can drop Web shells on a compromised network to ensure persistent future access to it and then sell the Web shells. In a report last year, researchers from Google's Threat Analysis Group described IABs as the "opportunistic locksmiths of the security world" who specialize in breaching a target and offering access to it to the highest bidder.
Fueling the Ransomware Economy
IABs offer their wares to anyone willing to purchase them, and the market for their services has grown rapidly over the past two years or so. But their biggest customers of late have been ransomware operators.
A new study by threat intelligence firm KELA showed that several major ransomware attacks involving groups such as Hive, Sodinokibi, BlackByte, and Quantum started with network access from an IAB. In one instance, members of the Conti ransomware group joined an IAB to target organizations in Ukraine.
"The most notable incident was related to the attack on Medibank, an Australian insurance provider, which was attacked after network access to the company was sold on a private Telegram channel," KELA said.
Group-IB's researchers found that 70% of the access types that IABs offered were RDP and VPN account details. Many of the offers — 47% — involved access with administrator rights on the compromised network. Twenty-eight percent of advertisements in which rights were specified involved domain administration rights, 23% had standard use rights, and a small fraction provided root account access.
Group-IB researchers also found IAB advertisements for access to Citrix environments, multiple Web panels for CMS and cloud servers, and Web shells on compromised systems. In some instances, IABs even offered to launch lateral-movement payloads such as Cobalt Strike Beacon or Metasploit sessions on behalf of the buyer. But offers for these credentials and services tended to be less common than those involving RDP and VPN credentials.
Organizations for which access offers were most commonly available in underground forums and marketplaces included manufacturing companies, financial services firms, real estate organizations, education, and information technology firms.
Group-IB found that the sharp increase in the number of entities operating in the IAB space during the period of its study had pushed prices down for most categories of initial access.
The average price of $2,800 that the company observed was, in fact, less than half of the $6,500 that IABs used to charge on average for the same access a year previously.