Hackers recover on average nearly $ 10,000 for stolen network access
A new report cybersecurity firm Intsights shed light on the burgeoning dark web market for network access that earns cybercriminals thousands of dollars.
Paul Prudhomme, Cyber Threat Intelligence Advisor at IntSights, examined network access sales on underground Russian and English forums before compiling a study on why criminals sell their network access and how. criminals transfer their network access to buyers.
Over 37% of all victims in a data sample were based in North America when there was an average price of $ 9,640 and a median price of $ 3,000.
The study notes that the type of access offered continues to be used in ransomware attacks around the world. Dark web forums allow for a decentralized system where less skilled cybercriminals can lean on each other for different tasks, allowing most ransomware operators to simply buy access from others, according to Prudhomme.
The network access offered ranges from the credentials of system administrators to remote access to a network. With millions of people still working from home due to the COVID-19 pandemic, the sale of grid access has increased dramatically over the past 18 months. Remote access is usually done through RDP and VPN.
In Dark Web forums and marketplaces, cybercriminals share access to a list of malware, malware, rogue infrastructure, and compromised data, accounts, and payment card details. Most of the more sophisticated forums and marketplaces are in Russian, but there are also many forums in English, Spanish, Portuguese, and German.
Cybercriminals rarely have a full team of experienced attackers at every stage of an attack, which makes dark web forums ideal as they are selling what they have already stolen or are looking for malware payloads, IT infrastructure. hosting and access to compromised networks.
“This factor applies particularly to trade-offs of specialized environments, such as those with operational technology (OT), industrial control systems (ICS), supervisory control and data acquisition systems (SCADA) or other less common or less conventional technologies that may be unknown to many attackers, ”explained Prudhomme.
Sometimes attackers find they have broken into a network without data that can be stolen or sold and decide to sell access to ransomware groups.
Messages offering compromised network access include the victim, the form and level of access to sell, as well as the prices and other details of the transaction. Sometimes victims are identified by location, industry or sector, and income information is often included.
Descriptions can also include the number and types of machines it contains or the types of files and data it contains. Often, hackers will explicitly mention something as a potential ransomware target in advertisements.
Some access is auctioned while others are negotiated over time.
The most common features of these sales are RDP credentials and VPN credentials, both of which are used a lot more due to the pandemic. Web shells are also used as persistence mechanisms that can be transferred.
“Elevated privilege is a common feature of these sales, but not universal. Many types of malware, including ransomware, require elevated privileges to run,” said Prudhomme.
“Higher privileges can also allow attackers to create their own accounts or take other actions to use as additional persistence mechanisms, providing redundancy for the access they have purchased. Domain administrator credentials are a common feature of these sales, in conjunction with some form of remote access for sale may also come with their own elevated privileges. “
The study includes a quantitative and qualitative analysis of a sample of 46 network access sales on underground forums covered by alerts provided to IntSights customers from September 2019 to May 2021.
Of that selection, seven people accounted for more than half of the APs for sale, representing the broader trend of concentrated attacks by vendor-specific hackers.
Of the 46 samples, 40 indicated the location of victims’ organizations and nearly 40% were in the United States or Canada.
Ten of the 46 victims were in the telecommunications industry while three other industries – financial services, health care and pharmaceuticals, and energy and industries – tied for second place.
“Despite the relatively low casualty count in retail and hospitality, the second most expensive offer in this sample, with an asking price of around $ 66,000 worth of Bitcoin at the time, was for the access to an organization supporting hundreds of retail and hospitality businesses, Prudhomme explained.
“The victim was a third-party operator of loyalty and customer reward programs. The seller highlighted the different ways a buyer could monetize this access, including: reviewing and manipulating source code; access to the accounts and points of members of the loyalty program. and spam and phishing attacks, including ransomware campaigns against loyalty program members through legitimate communication channels. ”
Prudhomme noted that cybercriminals often prey on airline loyalty programs and similar customer loyalty programs due to the general lack of anti-fraud measures.
While $ 9,640 was the average price, IntSights researchers said most prices hovered around $ 3,000. Only ten of the awards were over $ 10,000 and most were for access to telecommunications or technology companies. Many offers numbered in the hundreds and the lowest offer was $ 240 for access to a healthcare business in Colombia.
The peak observed in the study was $ 95,000 for access to a large telecommunications service provider in Asia with revenues of over $ 1 billion.
Researchers are urging organizations to patch systems, enable MFA, and take other steps to shut down potential access points.
“The time it takes to sell network access can give security teams more time to detect a breach before a buyer monetizes it or does anything else that might cause it. significant damage, ”the report says.
“The time it takes to find a buyer varies widely, from a few hours to several months, but a time frame of a few days or weeks is more typical. If security teams discover an intruder who has had access for a significant period of time but has not yet begun to monetize it, for example, by exfiltrating profitable files or deploying ransomware, then this delay could indicate that the The initial intruder is still waiting for a buyer.