Blurred downtown alley at night showing network access sale on underground forums by cybercriminals

Tight-Lipped Threat Actors Making Five Figures Selling Enterprise Network Access On Underground Forums

Threat intelligence firm IntSights analyzed cybercrime underground forums and discovered that some threat actors preferred selling network access to third parties for up to five figures instead of exploiting the networks themselves.

Additionally, the hackers did not usually disclose the victim’s name to potential buyers to prevent the breached organizations from discovering the compromise and closing the loopholes.

These auctioned network accesses were enablers for ransomware attacks by expanding the attack surface through remote access tools relied upon during the covid-19 pandemic remote work period.

The researchers also noted that the booming sale of network access allowed hackers to create cybercrime businesses and also benefit from breaches that would have gone to waste.

Hackers made five figures selling network access on underground forums

Sampling 46 network access sales on dark web forums, between September 2019 and May 2021, IntSight’s researchers found the average price for 40 sales was $9,640, while the median price was $3,000.

Only the top quartile or 10 out of 40 network access sales met or exceeded the average price. The higher price range began at $10,000, with 3 out of 40 sales selling for this price. One hacker made $66,000 selling network access to a hospitality operator with a customer loyalty reward program.

Out of the ten lowest prices, nine were just three figures representing the huge gap between top and bottom sellers.

“An examination of the higher and lower prices sheds light on the factors that influence pricing,” the research stated. “For example, the single lowest price of $240 was for network access to a healthcare organization in Colombia.”

Additionally, the level of access, the victim’s size, and revenue, the industry, and location determined the price of network access on underground forums. For example, most network access sales were from North American companies (37.5%), followed by Europe (17.5%), Asia Pacific (17.5%), the Middle East and North Africa (17.5%), and Latin America (10%). The exception was India, whose outsourcing industry provided an entry point into North American businesses and the widespread use of English in conducting business.

Cybercriminals also preferred victims from harder to compromise industries. For example, network access to healthcare was less lucrative because the industry was perceived as easier to compromise. Technology and telecommunications were the most lucrative industries, representing over a fifth (22%) of all victims. Financial services, energy, and industrial, healthcare, and pharmaceuticals, tied at a close second position, with 19.5% each. Automotive (9%), retail and hospitality (6.5%), and professional services (4%) followed at a distance.

Profitability is remarkedly high in companies whose profitability relies on public-facing web applications such as eCommerce and online banking. However, the hackers also decided to sell network access to ransomware attackers for organizations with less data, less valuable data, or information that require skills that the initial attacker does not have.

Means of exploiting organizations include compromising SQL databases on online applications such as WordPress and remote code execution (RCE) vulnerabilities. Others include privilege escalation using malware, redundancy for purchased access, and remote access tools like VPN and RDP. These forms of remote network access usually involve domain administrator credentials that criminals sell at attractive prices on the underground criminal forums.

Russian-speaking underground forums are highly secretive

The researchers discovered that most (65%) network access sales were from Russian-speaking underground forums. This position reflected the dominant position of Russian underground criminals in the cybercrime market.

However, there was a predominance of the underground forums with just a few threat actors (7) responsible for most (56.5%) network access sales.

Additionally, cybercriminals were becoming more aware that cybersecurity researchers and law enforcement were monitoring their activities. Thus, they usually avoided naming their victims on underground forums to avoid exposing their breaches.

“The minority of sellers that do disclose the names of their victims in public posts are usually on English-speaking forums, where some users may be less discreet than their Russian-speaking counterparts,” the researchers wrote.

Perhaps the secrecy on Russian underground forums allowed them to succeed more earning them a dominant position in the cybercrime underground market.

Additionally, the access brokers had the liberty to disclose their victims to the buyer, and sometimes they did not disclose them. The sellers adopted this strategy because the buyers did not make any commitments to buy after identifying the victims.  Consequently, the criminals usually looked at the track record of the potential buyers before deciding whether to disclose the victim’s identity.