Sign Up
All SecurityCyber-crimePatchesResearchCSO
All Off-PremEdge + IoTChannelPaaS + IaaSSaaS
All On-PremSystemsStorageNetworksHPCPersonal TechCxOPublic Sector
All SoftwareAI + MLApplicationsDatabasesDevOpsOSesVirtualization
All OffbeatDebatesColumnistsScienceGeek's GuideBOFHLegalBootnotesSite NewsAbout Us

Security

They break into your network but do nothing themselves: 'Initial access brokers' resell stolen creds for $7k a pop

So says Digital Shadows as it puts a price on illicit access methods

Gareth Corfield Tue 23 Feb 2021  //  22:53 UTC

A growing category of cyber-crime consists of breaking into corporate networks and doing nothing else – except selling that illicit access to others for about $7,000 a go, says infosec biz Digital Shadows.

Research published today highlighted what the firm dubbed "initial access brokers" in the delightful world of online criminality. The infosec biz said it was tracking around 500 marketplaces where illicit access to breached networks is bought and sold. To be clear, this kind of trade in access has existed for a long while, it's just now apparent that it's on the rise.

"The dramatic increase in remote working coupled with ransomware's commercial success has been a perfect storm of opportunity for initial access brokers," said Rick Holland, CISO at Digital Shadows, in a canned statement.

"These actors are cashing in because of the flourishing demand and their specialization. They concentrate on one aspect of the cybercriminal ecosystem, gaining access to your network, and they do it very well."

The perils of non-disclosure? China 'cloned and used' NSA zero-day exploit for years before it was made public

READ MORE

The firm described what it said was a "notable increase" in the number of stolen-creds-for-sale postings, with the average price for a working access method being $7,100 and comprising around 17 per cent of listings seen by Digital Shadows. This price increases to $9,800 for remote desktop protocol (RDP) access, echoing research from ESET showing a 700 per cent increase in the number of RDP access attempts during 2020.

Aside from RDP breaches, gaining illicit access to a Windows domain admin account commands an average price of $8,167 and made up 16 per cent of the criminal forum ads seen by the infosec firm. Also of interest, albeit to a much lesser extent, are compromised corporate VPN credentials, with those fetching an average of $2,871 apiece.

Users of Citrix's remote working products should also be on their guard. Digital Shadows warned in its full report: "Ransomware operators, such as Sodinokibi (aka REvil), Ragnarok, Maze, DoppelPaymer, and Nefilim have all been observed exploiting Citrix systems' vulnerability in 2020."

VPN access has long been a favored tactic of criminals trying to steal valuable information or deposit ransomware, with a spate of VPN-focused attacks targeting improperly secured Pulse Secure products characterizing the early part of last year. ®
Send us news
1 Comment

Ransomware feared as IT 'issues' force Octapharma Plasma to close 150+ centers

Source blames BlackSuit infection – as separately ISP Frontier confirms cyberattack

185K people's sensitive data in the pits after ransomware raid on Cherry Health

Extent of information seized will be a concern for those affected

Change Healthcare faces second ransomware dilemma weeks after ALPHV attack

Theories abound over who's truly responsible

MITRE admits 'nation state' attackers touched its NERVE R&D operation

PLUS: Akira ransomware resurgent; Telehealth outfit fined for data-sharing; This week's nastiest vulns

MGM says FTC can't possibly probe its ransomware downfall – watchdog chief Lina Khan was a guest at the time

What a twist!

Change Healthcare’s ransomware attack costs edge toward $1B so far

First glimpse at attack financials reveals huge pain

Head of Israeli cyber spy unit exposed ... by his own privacy mistake

Plus: Another local government hobbled by ransomware; Huge rise in infostealing malware; and critical vulns

Ransomware gang <em>did</em> steal residents' confidential data, UK city council admits

INC Ransom emerges as a growing threat as some ex-LockBit/ALPHV affiliates get new gigs

INC Ransom claims to be behind 'cyber incident' at UK city council

This follows attack on NHS services in Scotland last week

Nearly 3M people hit in Harvard Pilgrim healthcare data theft

Also, TheMoon botnet back for EoL SOHO routers, Sellafield to be prosecuted for 'infosec failures', plus critical vulns

INC Ransom claims responsibility for attack on NHS Scotland

Sensitive documents dumped on leak site amid claims of 3 TB of data stolen in total

Street newspaper appears to have Big Issue with Qilin ransomware gang

The days of cybercriminals having something of a moral compass are over