They break into your network but do nothing themselves: 'Initial access brokers' resell stolen creds for $7k a pop

A growing category of cyber-crime consists of breaking into corporate networks and doing nothing else – except selling that illicit access to others for about $7,000 a go, says infosec biz Digital Shadows.

Research published today highlighted what the firm dubbed "initial access brokers" in the delightful world of online criminality. The infosec biz said it was tracking around 500 marketplaces where illicit access to breached networks is bought and sold. To be clear, this kind of trade in access has existed for a long while, it's just now apparent that it's on the rise.

"The dramatic increase in remote working coupled with ransomware's commercial success has been a perfect storm of opportunity for initial access brokers," said Rick Holland, CISO at Digital Shadows, in a canned statement.

"These actors are cashing in because of the flourishing demand and their specialization. They concentrate on one aspect of the cybercriminal ecosystem, gaining access to your network, and they do it very well."

The perils of non-disclosure? China 'cloned and used' NSA zero-day exploit for years before it was made public

READ MORE

The firm described what it said was a "notable increase" in the number of stolen-creds-for-sale postings, with the average price for a working access method being $7,100 and comprising around 17 per cent of listings seen by Digital Shadows. This price increases to $9,800 for remote desktop protocol (RDP) access, echoing research from ESET showing a 700 per cent increase in the number of RDP access attempts during 2020.

Aside from RDP breaches, gaining illicit access to a Windows domain admin account commands an average price of $8,167 and made up 16 per cent of the criminal forum ads seen by the infosec firm. Also of interest, albeit to a much lesser extent, are compromised corporate VPN credentials, with those fetching an average of $2,871 apiece.

Users of Citrix's remote working products should also be on their guard. Digital Shadows warned in its full report: "Ransomware operators, such as Sodinokibi (aka REvil), Ragnarok, Maze, DoppelPaymer, and Nefilim have all been observed exploiting Citrix systems' vulnerability in 2020."

VPN access has long been a favored tactic of criminals trying to steal valuable information or deposit ransomware, with a spate of VPN-focused attacks targeting improperly secured Pulse Secure products characterizing the early part of last year. ®