Question: How can we prevent initial access brokers from selling access to our networks to any ransomware authors who want it?
Ram Elboim, CEO of Sygnia: As ransomware continues to do grow as a cyber threat, the new specialization of cybercriminal groups has given them an advantage in terms of efficiency. One of the fastest growing areas of specialization involves operators who outsource the work of accessing victims’ networks initial access broker (IAB).
At the start of a ransomware attack, an attacker needs initial access to the targeted organization’s network, and this is where IABs come into play. IABs tend to be opportunistic, lower-level threat actors who systematically gain access to organizations, often through phishing or spam campaigns. – and then sell that access on underground forums to other actors, including ransomware-as-a-service (RaaS) affiliates. Affiliates, who constantly need more access to organizations to stay active, are increasingly relying on IABs to provide that access.
Also known as access as a service, the off-the-shelf access offered by IABs has become an integral part of the ransomware ecosystem. IABs provide the initial intelligence that ransomware groups need to penetrate so that operators can quickly target a wider range of victims, access their networks, and move laterally until they gain enough control to launch an attack. It’s an efficient model for perpetuating cybercrime, which helps fuel the growth of ransomware.
How IABs gain access
IABs generally provide the simplest path to gaining network access, most often via virtual private networks (VPNs) or Remote Desktop Protocol (RDP) technology. Threat actors can exploit some of the files many VPN vulnerabilities that researchers have discovered in recent years, or they can scan a network for open RDP ports and follow various techniques to obtain login information.
Overall, about two-thirds of the types of access offered for sale on the Dark Web are RDP and VPN accounts that allow direct connections to victims’ networks, according to the data. “Hi-Tech Crime Report” by Group-IB. Citrix access, various web panels (such as content management systems or cloud solutions), and web shells on compromised servers are less common. Leaked email credentials or infostealer logs are also very popular, highly available and cheap.
Ransomware operators use the Dark Web to purchase credentials to penetrate targeted networks. Group-IB found that initial access offerings more than doubled between 2021 and 2022, while the number of IABs increased by nearly 50%. Pricing for enterprise access can start at just a few dollars and go up to hundreds of thousands of dollars for high-value targets.
The proliferation of dark market credentials poses a major risk to cross-industry organizations around the world. Whether threats come from low-ranking individual hackers or highly skilled cybercrime operations, organizations must strengthen their access protections.
Uncover the threat of stolen credentials
IABs and their RaaS affiliates need only one entry point for each targeted organization to launch their attacks, and this gives them a distinct advantage. Any employee can unintentionally give these threat actors the access they need, through phishing scams, infostealer deployment, or other means. In some cases, threat actors can access an employee’s home computer, rather than an office workstation, and use it to break into the company network. This makes mitigating the threat a very difficult challenge. But there are effective steps an organization can take.
We have observed dozens of ransomware incidents where the root cause of the attack was stolen login credentials. In most of these incidents, however, our threat intelligence team detected some of these leaked credentials by monitoring social media channels, dark web forums, and underground marketplaces.
In one such incident, a customer was hit with an extortion attack by a major ransomware group. While launching the investigation, our threat intelligence team identified a request for victim credentials in a malicious Telegram channel where perpetrators can request leaked data and get answers immediately via a bot. We later discovered that the first evidence of the attacker’s access to that network was discovered just a few days after the request was submitted.
In another incident related to a ransomware attack, our threat intelligence team detected a pair of infostealer logs offered in the Russian market that contained access to victim resources. Once these logs were purchased and analyzed, the team extracted leaked credentials belonging to an employee of a third-party vendor, which the incident response team later discovered was the root cause of the initial access.
Mitigate the threat of compromised credentials
Early detection of this login data could have prevented at least some of these attacks, if the leaked credentials had been discovered and neutralized quickly. There are some countermeasures available to mitigate credential compromise, starting with steps that have been proven to protect against misuse of network identities:
-
Require multi-factor authentication (MFA) across the enterprise. Reduce the risks of MFA fatigue by adding context to push notifications, requiring a code, or offering alternative methods, such as TOTP (time-based one-time password) or Fast Identity Online (FIDO).
-
Allow access to company services only from company-managed endpoints or networks.
-
Guide employees to avoid reusing personal passwords for company accounts. Consider providing them with a corporate password repository to help them manage their passwords.
-
Provide and detect anomalies in attempts to access company resources. This can be achieved by leveraging the built-in features of identity providers, such as Microsoft Entra ID and Okta.
-
It is highly recommended that you implement SSO. SSO providers will usually have greater security capabilities, although they are not necessarily related to the risk of credential leaks.
Organizations should also continually monitor the Dark Web and Open Web for leaked employee credentials, as well as those of business partners whose access could be exploited through third-party connectivity and shared resources. They should also look for leads on stolen infostealer records from compromised credentials and data involving employees or business partners.
When organizations find credentials for sale, they can change them so that IABs are no longer able to use them for sign-in. If credentials cannot be changed, organizations can at least detect login attempts and block them.
IABs are enabling the growth of ransomware by taking care of the first step of an attack: gaining access. Organizations that take steps to protect user identities can prevent IABs from being able to carry out these attacks.