initial access brokers the indispensable link in the cybercrime supply chain banner

Initial Access Brokers: The Indispensable Link in the Cybercrime Supply Chain

This year is on track to be a record-breaker for ransomware groups. Blockchain analysis reveals that “inflows” to cryptocurrency addresses associated with criminals reached $460m in the first half of 2024, up from $449m in the same period last year. And the median ransom payment for some of the most prolific ransomware groups has surged from just under $200,000 in early 2023 to $1.5m in mid-June 2024.

Now, there are many reasons why ransomware groups, and the cybercrime underground in general, continue to flourish. But a big part of their success lies with the initial access broker (IAB): a critical player in the cybercrime supply chain. Finding a way to mitigate their tactics, techniques and procedures (TTPs) will be vital if organisations want to minimise their exposure to financial and reputational risk.

Eyes on the Prize

At a very simple level, IABs are so important because they focus on one thing and do it exceptionally well. By concentrating on the first stage of an attack only, they insulate themselves from law enforcement—something they also achieve by working privately with ransomware-as-a-service (RaaS) affiliates. On the other side, by outsourcing to the IAB the time-consuming work of selecting targets and gaining access to victim organisations, other cyber-criminals can focus more of their time on scaling their efforts.

When not working privately with RaaS groups, IABs list their services on hacking forums, which enables researchers to get a better-informed picture of the market. According to a new Cyberint report, some offer bundled deals, while others sell access individually, and highly trusted individuals may require buyers to contact them directly without providing any information at all.

The report highlights three main types of IAB. Those that sell access to:

  • Systems compromised by backdoors and other malware installed on networked computers
  • Servers compromised through brute-forcing Remote Desktop Protocol (RDP)
  • Compromised network devices, such as VPN servers and firewalls, which provide a stepping stone into the corporate network

According to Cyberint, RDP access was most common in 2023, accounting for over 60% of IAB listings. However, so far this year, RDP access (41%) has been challenged by VPN compromise (45%).

Other access types include:

  • Email: Often via compromised credentials, which allows attackers to read, send and manipulate emails
  • Database: Via stolen credentials or vulnerability exploitation
  • Webshell: These are scripts that allow threat actors to remotely administrate/execute commands on a targeted server
  • Shell/command-line access: Providing a command-line interface to a compromised system, which enables direct execution of commands
  • File shares: Access to shared drives and file servers, often through compromised credentials or lateral movement

IABs may also list their sales by privilege type – domain admin, local admin or domain user – with the higher privileged access costing more. Although access to some valuable environments may result in listings priced at more than $10,000, most IAB posts fall between $500-$2000. That’s an indication of the commoditised nature of the market. In fact, although IABs are increasingly focusing on high-revenue corporate victims, the average price for listings has dropped 60% annually to $1,295, according to Cyberint.

Will IABs Come After Your Organisation?

Over a quarter (27%) of listings analysed by Cyberint in 2024 were for access at organisations of over $1bn in revenue. In fact, the average revenue of victims so far this year is $1.9bn. But that doesn’t mean smaller organisations are off the hook, according to Cyberint security researcher, Adi Bleih.

“In the first half of 2024, our data reveals that organisations with revenues under $10m made up 18.5% of all access listings on major underground forums. This translates to nearly one in five targeted organisations being SMBs, highlighting a significant risk to this sector,” he tells ISMS.online.

“Looking more broadly at medium-sized businesses with revenues between $10m and $100m, 29.5% of all targeted organisations fall within this range. This means businesses earning under $100m make up 48% of all initial access broker targets.”

Elsewhere, US organisations are most likely to be in the crosshairs, accounting for nearly half (48%) of IAB listings studied. That’s followed by France, Brazil, India, and Italy. However, given the UK is a top-two ransomware target, there’s plenty to keep British CISOs awake at night. According to the report, the most targeted sectors are business services, finance, retail, technology, and manufacturing. The latter increased from 14% of listings in 2023 to 23% so far this year.

Blocking Initial Access and Beyond

Although no organisation is truly safe from IAB attacks, the good news is that the threat actors themselves tend to stick to tried-and-tested hacking techniques. That means best practice security will help network defenders get a long way to neutralising either initial access, or what comes next. Cyberint recommends simple steps like multi-factor authentication (MFA), least privilege access policies, regular patching, security awareness training, restricted RDP usage, intrusion detection (IDS), network segmentation, and dark web monitoring.

Fortunately, best practice standards and frameworks are a great way to formalise such practices.

As an example, ISO 27001 addresses the following:

  • Access Control: (Annex A.9). Helps to reduce the chance of IABs infiltrating their networks.
  • Incident Management and Response: (Annex A.16) Rapid detection and response to initial access can help to contain breaches before they can be monetised.
  • Security Awareness and Training: (Annex A.7.2.2) This reduces the likelihood of IABs gaining access via human error, such as phishing or weak passwords.
  • Network Security Controls: (Annex A.13) Dividing the network into smaller, isolated segments limits threat actors’ ability to move laterally once inside the network.
  • Monitoring and Logging: Continuous monitoring and logging of network activity detects and alerts to any unauthorised access attempts.
  • Firewall and IDS/IPS Configuration: Proper configuration helps to detect and block suspicious network activities more effectively.
  • Patch Management and Vulnerability Management: (Annex A.12.6.1) Reduces the number of exploitable vulnerabilities IABs may use to gain initial access.
  • Supply Chain Security: (Annex A.15) Helps prevent IABs from gaining unauthorised access through insecure third parties.
  • Cryptography and Data Protection: (Annex A.10) Data encryption will limit the value of what is accessed following an IAB breach.
  • Physical and Environmental Security: (Annex A.11) Reduces the risk of IABs gaining initial access via physical means, such as a compromised employee.

ISO 27001 is based on a Plan-Do-Check-Act (PDCA) cycle, which emphasises continuous improvement of the information security management system (ISMS). Regular internal audits, management reviews, and security updates in line with continuously evolving threats will keep corporate defences fit for purpose over time. IAB attacks are inevitable. But successful breaches don’t have to be.

Author

Phil Muncaster

Phil Muncaster has been an IT journalist for 15 years. He started out as a reporter on enterprise IT title IT Week in 2005 and progressed to the role of News Editor before leaving to pursue a freelance career. Since then, Phil has written for titles including The Register, where he worked as Asia correspondent whilst based in Hong Kong for over two years, MIT Technology Review, SC Magazine, Infosecurity Magazine and others.

View all posts by Phil Muncaster

Related Posts

Explore ISMS.online's platform with a self-guided tour - Start Now