WEBINAR | A Deep-Dive into 2023 Cyber Threats
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Beyond MDR
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Operational Technology
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Threat Hunting
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Threat Intelligence
Find cyber threats that have evaded your defenses.
Model Index
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
Phishing Analyzer
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
Integration Partners
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Blog
Company Blog
Case Studies
Brands of the world trust ReliaQuest to achieve their security goals.
Data Sheets
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
eBooks
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Podcasts
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
Solution Briefs
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
White Papers
The latest white papers focused on security operations strategy, technology & insight.
Videos
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
ReliaQuest ResourceCenter
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Threat Research
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
Shadow Talk
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
April 18, 2024
About ReliaQuest
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Leadership
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Careers
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
Contact Us
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
More results...
Back in March 2021, Digital Shadows (now ReliaQuest) published a research report titled Initial Access Brokers: An Excess of Access, analyzing more than 500 access listings across 2020 and initiating a discussion around the figure of Initial Access Brokers (IABs). Ever since, IABs have consolidated their role in the cybercriminal landscape and have now become a fundamental figure in the Ransomware-as-a-Service (RaaS) business model.
At the end of Q1, Digital Shadows (now ReliaQuest) had analyzed over 200 new listings and provided a detailed examination of the data observed in dark web criminal forums, noticing an upward trend compared to 2020. Digital Shadows (now ReliaQuest) are continuing to monitor these criminal actors to extract valuable insights into the victimology, the modus operandi, and the functioning of this complex environment.
Today, we will analyze the data gathered over the second quarter of 2021 and comprehend them in the context of the most recent developments in the ransomware landscape. Trust me; there’s a lot to unpack, so let’s start right away.
As you will probably remember, the second quarter of 2021 began with the DarkSide’s ransomware attack on Colonial Pipeline that disrupted the operations of the US energy operator for several days. Colonial Pipeline was distributing almost half of the oil-related fuels on the American East Coast. This campaign represented a severe cyberattack against critical national infrastructure (CNI) in the United States.
As predicted, this attack resulted in a swift response from US law enforcement agencies that managed to seize part of DarkSide’s Bitcoin funds and the ransomware gang disappearing from the scene. But something possibly more important for the broader ransomware landscape happened when cybercriminal forums like XSS and Exploit decided to ban all things ransomware to avoid unwanted attention from security researchers, journalists, and law enforcement agencies. This means that ransomware gangs’ operators and affiliates were widely banned from these platforms and discussions around ransomware were deleted, too.
A question inevitably arises: what happened then to IABs?
This development in the ransomware landscape didn’t entirely disrupt IABs’ operations. In fact, theoretically speaking, the accesses sold by IABs could be used for a broad array of malicious purposes (think about wiping data, installing crypto miners, deploying spyware, etc.) and rarely specifically mention ransomware. However, as we all well know, ransomware is clearly one of the most profitable criminal enterprises you can set up with those accesses and is undoubtedly the most common use for threat actors.
Consequently, IABs kept doing their work undisturbed most of the time. We’ve observed some IABs moving to other cybercriminal forums, and others have moved their business infrastructure to private messaging channels. Additionally, we’ve observed ransomware groups avoiding outright mentioning the purpose of their criminal program and attempting to recruit for IABs with careful wording to avoid being banned.
Despite all the changes just mentioned, the market for IABs listings hasn’t decreased at all in the past three months. On the contrary, in Q2, Digital Shadows (now ReliaQuest) collected over 250 accesses, an increase from the first quarter of 2021, listed for an average of $2,578 per access (a slightly higher number than the last quarter, which was $1,923).
As we observed in our previous reports on IABs, North America and Europe have remained the most targeted regions by these actors, with a combined 70% of the total listings observed in Q2. While victims in North America were mostly based in the United States, the European targets were evenly spread out among several countries. The most targeted European country in Q2 was France, soon followed by the United Kingdom, Italy, and Germany.
American companies were the most targeted by Initial Access Brokers in this quarter, comprising 39% of victim listings in cybercriminal forums— Photon Research
Companies based in North America were also the most financially rewarding for IABs, with an average cost of $3,114 per access. Asian organizations soon followed with an average of $2,824, along with the Middle East ($2,523) and Europe ($2,044). On the other hand, listings were particularly cheap in Australasia ($600) and South America ($474).
No specific vertical emerged as heavily targeted, hinting at these cybercriminals’ indiscriminate nature. Initial Access Brokers often go for the “low-hanging fruit” in the security landscape to optimize their chances of gaining access. Therefore, the landscape of the industries being targeted the most by Initial Access Brokers in Q2 was evenly distributed.
Although no industry vertical was significantly distinct in the amount of targeting from its counterparts, it would be a mistake to think that IABs don’t differentiate between geographical representation and average price. The geographical region of the targeted organization and the access type associated with the listing heavily influence the price asked by IABs.
The Retail sector was the most targeted and maintained the second-highest average price per access in Q2 – Photon Research
As you can see from the graph above, we observed the Financial Services industry overtake the Energy, Oil, and Gas sector as the most expensive within IABs’ listings in Q2. On average, an access to an organization operating in the Financial Services sector amounted to $5,518 per access – more than $3,000 more per access, compared to our Q1 data. Another impressive bit of data comes from the Retail sector, where the average price of a single access skyrocketed to $4,404 after an average price of $558 in the first quarter of 2021.
As we initially wrote in our blog on the Targets And Predictions For The COVID-19 Threat Landscape, remote working tools such as Virtual Private Network (VPN) and Remote Desktop Protocol (RDP) are at high risk of being compromised and exploited by threat actors that attempt to capitalize on the developments caused by the COVID-19 pandemic outbreak. According to our data, this observation remains very much true as these two tools make up for more than two-thirds of the total accesses advertised by IABs in Q2.
Access via VPN and/or RDP comprise 70% of the total listings observed over Q2 – Photon Research
Since we’ve started to produce research on IABs, RDPs have been central in our analysis. Cybercriminals can easily scan the internet to find exposed RDPs with weak credentials to leverage for their malicious operations, as we discussed in our blog titled Mapping MITRE ATT&CK To Compromised RDP Sales. The same mechanism can be applied to VPN, a utility that has become increasingly popular since the pandemic outbreak in the early months of 2020.
This quarterly analysis of IABs’ listings provided further insights into this cybercriminal category’s evolving landscape. Constantly observing how the IABs environment evolves over time is key to understanding trends and patterns in this malicious activity, along with offering precious insights into how ransomware actors behave over time. Looking ahead, one of the most intriguing aspects of this phenomenon relates to the price and the variety of access types being used by IABs over the coming months.
Monitoring its evolution over time and IABs’ preferred techniques can significantly help security professionals prioritize their efforts to reduce their attack surface and digital exposure. The wide variety of industries and countries targeted means that any company is at risk of being targeted by these cybercriminals. Additionally, IABs tend to pick their victims based on opportunistic calculations. This means that making yourself a difficult target for the least sophisticated actors is one of the best defense strategies against these cybercriminals. If you’re interested in specific mitigations for several access types, feel free to download our free Initial Access Brokers research report.
Having an in-house or out-sourced Cyber Threat Intelligence team monitoring the surface, deep, and dark web can go a long way in identifying relevant listings and observing access trends. If provided with timely, relevant, and actionable intelligence, defenders can prioritize security efforts toward the most significant threats. If you’d like to see your exposure and get access to a threat intelligence library of threat actors relevant to your industry and geography with suggested mitigations, get a demo request of SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) for free here.