Five cybercriminal entities sell access to 2,300 corporate networks

It’s impossible to talk about a successful cyberattack without prior access to the target company's network. Initial access brokers are the malicious actors that perform this first step. They are making accessing enterprise networks easier than ever.

A recent news report stated that five cybercriminal operators accounted for around 25% of all enterprise network access offers available for sale on underground forums during the second half of 2021 and the first half of 2022. These initial access brokers provide details of stolen VPN and remote desktop protocol accounts. As well as other credentials that criminals can use to break into the networks of more than 2,300 organizations worldwide, without difficulty. The average price for initial access is around $2,800.

It is important to note that these five operators lead a much larger and growing market.

How does the underground access market work?

IABs gain access to systems by stealing network credentials from third parties using social engineering tactics such as phishing. Exploiting unpatched software vulnerabilities, and installing malware after gaining access to an organization. Through tailgating, brute-force or password-spraying attacks. And they offer one of the following types of access:

  • Active Directory (AD)

  • Virtual Private Networks (VPNs)

  • Root user credentials

  • Web Shell Access

  • Remote Monitoring and Management (RMM)

  • Remote Desktop Protocol (RDP)

  • Control panels

The cost of this access service varies, depending on the type of organization targeted. Factors that influence the pricing range from the industry the enterprise works in, to its size, number of employees, and annual revenues. The organization’s vulnerability level is also considered. This indicates the time and resources IABs need to use to get initial access, as well as the type of access being sold.

According to the Dark Reading article, 70% of the types of access listed by the IABs consisted of details of RDP and VPN accounts. 47% of the offers involved access with administrator rights on the compromised network. 28% of the ads specifying which type of rights they had obtained involved domain admin rights. 23% had obtained standard usage rights and a small fraction provided access to root accounts.

In underground forums, where IABs sell access to enterprise networks, the messages posted are usually detailed and provide potential buyers with information about the victim. The method used to gain access, is what this access can offer to interested cybercriminals.

How to avoid becoming a victim of the access-as-a-service market?

Protecting against these cybercriminals-as-a-service operators requires consolidated security capable of shielding the organization's network. As well as patching any holes it may have. Two solutions are essential in this process: multi-factor authentication (MFA) and endpoint protection.

Multi-factor authentication (MFA)

Attackers often seek out systems that rely on the traditional form of authentication: username and password. A method that provides no protection today. Multi-factor authentication must be enforced to mitigate this vulnerability if access to a network requires an extra form of authentication. Stolen user credentials lose their effectiveness.

It is important to introduce this layer of protection for remote access to the network, VPN connections, email, and administrative access.

WatchGuard's multi-factor authentication solution offers extra protection using mobile device DNA. This verifies whether the authorization is coming from the authorized user's phone.

Endpoint protection

RDP protection is included in the Threat Hunting Service that is integrated into the WatchGuard EPDR solution. This prevents hackers from stealing credentials on RDP servers. This is done by detecting brute-force attacks and preventing communications from external servers. The best defence is to stop the attack at an early stage, so we recommend enabling RDP protection at all times.

Continuous endpoint monitoring prevents the execution of unknown processes. As well as enables behavioural analysis that can expose criminals who have gained access, protecting against advanced persistent threats. It can also protect against the likes of zero-day malware, ransomware, phishing, rootkits, memory vulnerabilities and non-malware attacks.

WatchGuard EPDR not only combines endpoint protection (EPP) and detection and response (EDR). They also provide a vulnerability management module. This discovers and deploys the necessary patches to protect the organization. This is paramount, as vulnerabilities are often one of the most common entry points criminals use.

WatchGuard EPDR also includes anti-exploit technology that protects against credential theft and prevents lateral moves by hackers using stolen credentials. Making it an ideal complement to patch management.