Hackers selling initial access in underground forums

Selling Network Initial Access Methods in Underground Forums Worth Millions as Brokers Turn To Private Conversations

KELA report says that initial access brokers continued making a killing in the underground forums by selling initial network access tactics, techniques, and procedures (TPP) to various threat actors, including ransomware operators.

The report noted that ransomware operators increasingly depended on purchased initial access as the primary initial entry point to corporate networks.

Additionally, KELA found that a few initial access methods dominated the underground markets, thus becoming the traditional means of compromising networks.

KELA added that the sale of initial access TTPs increasingly turned to private conversations to prevent disruption by security researchers. KELA believes monitoring access brokers’ underground activities was vital in securing organizations.

Initial access TTPs averaging over $6,500, cumulatively worth millions

The threat intelligence firm KELA found that nearly 250 initial network accesses offered were listed for sale in Q4 2020, cumulatively worth over $1.2 million.

The total sales averaged about 80 initial accesses monthly, of which 14% were confirmed as successfully sold. However, the total listings sold in Q4 were 25% lower than those observed in Sep 2020.

The cumulative total value for all closed initial access sales was $133,900. Each initial access method averaged about $6,684 with a median price of $1,500. The modestly-priced TTPs provided domain-type access to medium-sized organizations with hundreds of employees. However, almost a quarter (24%) of the listings did not specify the price.

The maximum price was equivalent to 7 Bitcoins, while the least averaged about $15. The top three most popular sales were priced at $35,000, 1 BTC, or $10,000.

Most TTPs sales moving to private conversations in underground forums

KELA report says that the number of listed initial access TTPs could be higher than indicated because most transactions moved to private conversations. This development was to avoid interruptions by security researchers who frequently blow the whistle on compromised networks.

“It seems that the initial network access market is bigger than what we are observing in public conversations happening on underground forums,” Victoria Kivilevich, Threat Intelligence Analyst at KELA noted. “To understand the real scope of threats, it’s necessary to keep tracking notorious initial access brokers and their TTPs, engage with them regularly, and identify new types of threats that may emerge.”

RDP and VPN with RCE vulnerabilities the most widely used initial access methods

The report found that the attack surface expanded during Q4 2020, with access brokers introducing newer initial access types.

However, the sale of the remote desktop protocol (RDP) and Virtual private network (VPN) vulnerabilities still dominated the criminal underground forums. They constituted about 45% of initial access methods, making them the traditional unauthorized access methods.

Most VPN and RDP offers had remote code execution (RCE) vulnerabilities with access to Citrix networking and virtualization products. The threat actors mostly offered them through ConnectWise and Teamviewer software, providing attackers with “RDP-like capabilities.”

The report noted that Pulse Secure and Fortinet VPNs’ login credentials were used to breach various organizations after users’ login credentials circulated in the underground forums.

Four geographical regions are mostly targeted

Surprisingly, 40% of all initial access TTPs sold in the underground forums targeted four geographical regions. Initial access TTPs from the United States, Europe (unspecified), UAE, and France were mostly sought or traded.

Few brokers dominate the criminal underground supply of initial access methods

KELA also noted a clique of ten access brokers dominated the dark web in selling access to compromised networks. The top five most notorious threat actors with more than 10 initial accesses include:

  • Crasty – active in Russian-speaking forums, offering Citrix/RDWeb accesses for Australian, French, US companies and universities.
  • Pshmm – known for RMM accesses to US companies using Zoho’s ManageEngine Desktop Central. The threat actor relies on weak credentials to gain initial entry, suggesting that brute-forcing could be involved.
  • Drumrlu / 3lv4n – known for providing initial access related to VMware ESXi software.
  • Barf – sells RDP privileged access to companies in France, the US, Brazil, Spain, Italy, and Germany.
  • 7h0rf1nn – offers RCE and webshells initial access methods.

The dominant hackers had dedicated threads on underground forums listed as “Buy Network Access to Corporations” or equivalent. They would also go quiet and reappear with valuable and sometimes “pricey” offers.

IT organizations, large corporations, and government units attract a premium price

Pricey offers include IT organizations, large corporations, and government units. KELA found a US IT and another unspecified IT firm compromised through ConnectWise valued at 5 BTC and 30,000, respectively. The broker claimed that the companies had many clients who could be compromised as well.

Similarly, a $35,000 access to the Texas government was sold privately by a known threat actor on the same day it was listed, while the Panasonic India compromise was listed at $500,000.

However, KELA noted that some of the overpriced and pricey listings could not sell and were eventually marked as “irrelevant.”

Underground markets becoming increasingly customer-oriented

The buyers were also picky, with some specifying the type of company they intended to compromise. This development turned the business into more “customer-oriented.” For example, a threat actor enquired about obtaining remote access to US companies having a minimum of $300 million in revenues.

Access brokers becoming affiliates for a bigger cut

The researchers also noted that the access sellers were turning into affiliates, exchanging initial access TTPs for a commission after a ransomware attack payout.

“Such activity shows that some of the initial access brokers intend to graduate into affiliates, chasing bigger profits and a steady place in the ransomware ecosystem,” the report found.

Selling network initial access methods is a million-dollar-business in criminal underground forums. Access brokers also preferred trading in private conversations. #cybersecurity #respectdata Click to Tweet

KELA notes that monitoring underground access brokers’ activity was a crucial cybersecurity undertaking alongside educating employees and patching discovered vulnerabilities. Similarly, enabling the two-factor authentication (2FA) for VPN and RDP connections would add a layer of security in case remote access login credentials inadvertently leaked.