Home office in the corona pandemic and new malware technologies led to a surge in trading in compromised or hacked remote access in 2020. Offers around RDP, VPN and Citrix gateways have reached a new high and are being sold at high prices on forums and platforms in the darknet.
As a current report by Digital Shadows shows, the group of "Initial Access Brokers" in particular is rising further in the hierarchy of the cybercriminal ecosystem.
Initial Access Brokers (IAB) are considered to be the fastest growing “professional group” among cyber criminals. In the context of cyber attacks, IABs only act as middlemen who hack access accounts in advance and then sell them to other cyber criminals. Their regular customers include mainly ransomware groups who are looking for a suitable entry-level vector to spread their ransomware. This division of labor in cybercriminal networks has been known since 2017. With COVID-19 and the change from work to home office, however, a new high has now been reached. At the same time, the demand from ransomware players increased last year, which created optimal conditions for the rise of the Initial Access Broker.
The growing market for remote access is particularly evident on relevant forums in the Darknet. Many marketplaces have restructured their platforms and even given the IAB offers their own division. In a snapshot of the best-known marketplaces, the analysts from Digital Shadows counted over 500 offers. The average price for a compromised access is around $ 7,100. However, the price can be higher depending on the size, industry and turnover of the company, the type of access (e.g. RDP, VPN) and the associated IT systems. In Switzerland, attackers pay an average of USD 101,745 per access. That could include also related to the top targets, which include retail (10% of offers) and technology (7%) as well as the financial sector (9%).
RDP (Remote Desktop Protocol) is the most frequently traded remote access with 17%. Access via the network protocol allows cyber criminals to completely take over a victim's computer, access data and smuggle in malware. According to the FBI, ransomware attackers use RDP as a gateway in 70-80% of cases. The recently announced attack on the drinking water supply in Florida, in which hackers increased the amount of dangerous caustic soda in the water, is most likely due to a compromised remote access to a system of the water supplier. In addition to RDP, domain administrator rights (16%) and access to VPNs (15%), Citrix applications (7%), control panels (6%), CMS (5%) and shell (5%) are increasingly being traded .
"In times of remote workspace and ransomware, initial access brokers are experiencing a high-altitude flight because their goods perfectly meet market demand," explains Rick Holland, CISO at Digital Shadows. “This development is extremely dangerous for companies and organizations. Mainly because the risk of falling victim to a ransomware attack is higher than ever. Detecting IAB offers using monitoring tools in the Darknet can give cyber threat intelligence teams the decisive edge to prioritize countermeasures, secure access and thus ward off potential attacks at an early stage. "