According to a new cybersecurity report from Insights, the dark web‘s thriving market for network access nets cybercriminals thousands of dollars.
Before compiling a study on what is the reason criminals use to sell their network entree and how criminals use to transfer their network access to purchasers, Paul Prudhomme, cyber threat intelligence consultant at IntSights, looked into network access sales on underground Russian and English-language forums.
In a sample of the data, more than 37% of all victims were from North America, with an average price of $9,640 and a median price of $3,000.
According to the study, the type of access being offered is still being used in ransomware attacks all over the world. According to Prudhomme, dark web forums enable a decentralized system where less-accomplished cybercriminals can trust one another for various responsibilities, letting most ransomware operators simply purchase access from others.
The network access on offer includes everything from system administrator credentials to remote network access. The sale of network access has increased significantly over the last 18 months, with millions of people still working from home due to the COVID-19 pandemic. RDP and VPNs are commonly used for remote access.
Cybercriminals share malicious tools, malware, illicit infrastructure, and compromised accounts, data, and payment card details on dark web forums and marketplaces. Many of the most advanced forums and marketplaces are in Russian, but there are also many forums in English, Spanish, Portuguese, and German.
Dark web forums are ideal for cybercriminals looking to sell what they have stolen already or search for hosting infrastructure, malware payloads, and access to negotiated networks since cybercriminals infrequently have a full team of attackers knowledgeable in each stage of an attack.
“This factor happens to be particularly relevant to particular environments, for example, those with industrial control systems (ICS), operational technology (OT), Supervisory Control and Data Acquisition (SCADA) systems, or other less common or less conventional technology that many attackers may be unfamiliar with,” Prudhomme explained.
Attackers may decide to sell access to ransomware groups after realizing they have broken into a network with no data that can be stolen or sold.
The victim, the type and level of access for sale, as well as pricing and other transaction details, are all included in the posts offering compromised network access. Victims are sometimes identified by location, industry, or sector, and revenue data is frequently included.
The number and types of machines on it, as well as the types of files and data it contains, may be included in the descriptions. In many cases, hackers will specifically mention something as a possible ransomware target in advertisements.
Some access is auctioned off, while others are negotiated over time.
VPN credentials and RDP credentials are the most common features of these sales, both of which are being used much more because of the pandemic. Web shells happen to be also used as transferable persistence mechanisms. “Elevated privileges are a common feature of these sales, but they are not universal. In order to run, many sorts of malware, comprising ransomware, need to be raised privileges “Prudhomme remarked.
“Higher privileges also can allow attackers to create their accounts or take other measures to provide redundancy for the access they purchased. These sales frequently include domain administrator credentials, as well as some form of remote access. Some types of remote access for sale may also include additional privileges.”
A quantitative and qualitative analysis of 46 sales of network access on underground forums covered in IntSights alerts from September 2019 to May 2021 is included in the research.
Seven people were responsible for more than half of the available access points, indicating a larger trend of focused attacks by vendor-specific hackers.
The location of victim organizations was named in 40 of the 46 samples, with nearly 40% of them being in the United States or Canada.
Telecommunications accounted for ten of the 46 victims, with three other industries tied for second place: financial services, healthcare and pharmaceuticals, and energy and industrials.
“Despite the small number of retail and hospitality victims, the second-most expensive offering in this sample was for access to an organization supporting hundreds of hospitality and retail businesses,” Prudhomme explained.
“The victim was a third-party provider of loyalty and rewards programs for customers. The seller listed several ways a buyer could profit from this access, including source code review and manipulation, access to loyalty program members’ accounts and points, and spam and phishing attacks, including the use of legitimate communication channels to launch ransomware attacks against loyalty program members.”
Because of the general lack of anti-fraud measures, cybercriminals frequently target airline frequent flier programs and other customer loyalty programs, according to Prudhomme.
While the average price was $9,640, IntSights researchers found that most prices were around $3,000. Only ten of the prices exceeded $10,000, with the majority of them being for access to telecommunications or technology firms. Many of the offers were in the hundreds of dollars, with the lowest being $240 for access to a Colombian healthcare company.
The study found that the highest price paid for access to a large Asian telecommunications service provider with over $1 billion in revenue was $95,000.
The researchers recommend that companies patch their systems, enable MFA, and take other steps to block potential access points. According to the report, “the length of time it happens to take to sell network access may offer security teams more time to perceive a breach before a purchaser monetizes it or does anything else with it that could cause significant harm.”