Cyber criminals are selling access to more than 500 corporate networks worldwide. For the price of a small private island, a single cyber criminal or group of cyber criminals could purchase access to all listed networks.
Once in the networks, cyber criminals can deploy malware that collects data, steals resources, causes source code leaks, uninstalls security programs and otherwise illicitly enriches the hackers and harms business operations.
What is perhaps most concerning is that, in theory, cyber criminals can leverage access to a single network to catalyze a chain of network intrusions; a genuine concern for organizations with extensive lists of partners, third-party suppliers, and corporate clients.
Intrusion prevention tips
Initial access brokers function as ‘middlemen’ for malware-based attacks, selling opportunities to launch ransomware and Ransomware-as-a-Service based programs. Proactively protect your organization from network intrusions. Tactics to implement:
- Place remote access servers behind VPNs.
- Enable multi-factor authentication.
- Conduct phishing training to prevent credential theft.
- Ensure that employees select strong passwords and store them securely.
- Ensure that your organization does not have RDP vulnerabilities.
Initial access brokers (IABs) typically acquire their means of breaking a digital entry via credential theft, webshells or exploitation of vulnerabilities in publicly exposed hardware.
Reasons as to why IABs opt not to leverage the network access themselves tend to vary. Some of these hackers lack diverse intrusion skills, while others prefer to avoid potential law-enforcement crack-downs.
By the numbers
During the third quarter of 2022, 110 hackers posted 576 initial access offerings, which totaled $4 million in retail value. In reviewing these listings, the average sale price was $2,800. The median selling price reached $1,350.
In one unique instance, cyber security researchers observed a case of single access available for purchase at the unusually high price of $3 million. Researchers had their doubts about this listing’s authenticity.
Most targeted country
In the third quarter of this year, access to American companies accounted for 30.4% of all initial access broker listings, with 6X more listings than those targeting the runner-up nation; Brazil. By comparison, organizations in Brazil accounted for 5.38% of initial access broker listings.
Most targeted sector
In assessing the most commonly targeted sectors, researchers determined that professional services, manufacturing and technology firms topped the list.
- The professional services industry made up 13% of initial access broker listings.
- The manufacturing sector made up 10.8% of initial access broker listings.
- Technology firms made up 9.4% of initial access broker listings.
Who are these initial access brokers?
The top initial access brokers are known as r1z, Salvador_Dali and Orangecake. But don’t let the innocuous-sounding names fool you…
The top three initial access brokers run a large-scale operation, offering between 40 and 100 access opportunities during Q3 of this year.
An analysis of hacking forum discussions and marketplace listing removal events indicates that cyber criminals sell corporate access in as little as a day and a half after placing an advertisement on the dark web.
The value of initial access sales has risen sharply in recent months; specifically during Q3 of this year. For comparison, the entire value of initial access sales during Q2 was roughly 6X less than what it is now, at $660,000.
Does this mean more breaches or fewer? Tough to say. However, the hackers who do purchase access are on a mission, meaning that your organization needs to adopt powerful, high-impact multi-layered prevention, detection and incident response protocols.
Learn more about how to reduce your organization’s risk levels here. For more insights into ransomware prevention, please see Cybertalk.org’s whitepapers. For charts and figures corresponding to this article, please click here. Lastly, discover new trends, expert interviews, and so much more – subscribe to the CyberTalk.org newsletter.