Since we first published our report Initial Access Brokers: An Excess of Access, Digital Shadows (now ReliaQuest) has continued to monitor this criminal category closely and analyze in detail its development over the following months. Our first report uncovered 500 listings throughout 2020. Yet, already in 2021, we have found some 200 new listings published by Initial Access Brokers (IABs) in cybercriminal forums and other dark web sources in just the first quarter of this year.

This blog assesses this trend along with the targeted victims’ geographical locations and industry verticals. We additionally reported on access types and suggested mitigations.

To the surprise of no one, IABs have continued to actively operate in underground criminal forums and provide third-party threat actors with seemingly continuous access to vulnerable organizations’ networks. The rise of initial access brokers doesn’t seem close to stopping any point soon. While some things have remained unchanged, we did notice quite a few exciting developments in the IABs’ threat landscape. Without further ado, let’s dive into this quarter’s findings. 

Shadow Search (now ReliaQuest GreyMatter Digital Risk Protection)’s timeline of IABs’ activity in Q1 2021
Shadow Search (now ReliaQuest GreyMatter Digital Risk Protection)’s timeline of IABs’ activity in Q1 2021

Initial Access Broker Listings by Region

As we had seen in our previous reporting on IABs, these financially motivated cybercriminals target anything, anywhere. However, the geographical breakdown of the listings analyzed in Q1 offers the picture of a market predominantly geared towards European and North American targets. 

Listings Breakdown by Region
Listings Breakdown by Region

European companies were the most targeted by Initial Access Brokers in 2021, comprising 45% of victim listings in cybercriminal forums— Photon Research

The situation has been pretty dire for European countries in Q1, with 45% of the observed listings targeting organizations working in this region. The top spot remained unchanged in this quarter, with the United Kingdom topping the list with 19% of the listings. France (18%) and Italy (16%) were heavily targeted across 2020 as well. The industries targeted in this region were highly diversified but saw Engineering and Construction companies accounting for roughly one-fifth of organizations hit.

European victims’ breakdown by industry
European victims’ breakdown by industry

North American companies were the second most targeted by Initial Access Brokers in 2021, comprising 29% of victim listings in cybercriminal forums— Photon Research

Surprisingly enough, the North American region accounted for less than a third of the total listings observed (in 2020, that number was close to 40%). Initial Access Brokers predominantly targeted US-based organizations (82%) in the last three months. Among North American industry verticals, Industrial Goods & Manufacturing, Technology, and Third-party services accounted for half of the total listings analyzed. 

South American organizations closely followed, with approximately one organization targeted for every ten observed incidents in Q1 2021. IABs predominantly targeted companies based in Brazil (65%), a country that ranked second for the average amount of time spent online per person, according to a recent survey. The listings advertised for South American companies didn’t highlight a primary industry vertical being compromised, with the listings spread evenly among different sectors.

Initial Access Broker Listing by Industry 

No specific vertical emerged as heavily targeted, hinting at these cybercriminals’ indiscriminate nature. Initial Access Brokers often go for the “low-hanging fruit” in the security landscape to optimize their chances of gaining access. Therefore, the landscape of the industries being targeted the most by Initial Access Brokers in Q1 was evenly distributed.

Q1 2021 industry breakdown of Initial Access Broker’s victims
Q1 2021 industry breakdown of Initial Access Broker’s victims

Although no industry vertical was significantly distinct in the amount of targeting from its counterparts, it would be a mistake to think that IABs don’t differentiate between geographical representation and average price. 

We defined two factors in play for targeting by IABs by Industry:

  1. Market Price by geographical region
  2. Ease of Access to network and systems

For example, the Engineering and Construction sector targets consisted mainly of European countries and maintained a relatively low average access price of $193. On the other hand, technology sector companies were predominantly targeted when US-based, and access to their networks is sold for much higher on average for $1,045.

Average price of IAB listings per top industries
Average price of IAB listings per top industries

Average price of IAB listings dropped -73% from $7100 to $1923 per access in Q1 of 2021.— Photon Research

Regarding average listing price, another interesting data point is the overall average cost of buying access from Initial Access Brokers in Q1 2021. While our analysis of the 2020 data amounted to an observed average cost of $7,100, the price drastically dropped in the first quarter of this year (-73%), with an estimated average price of $1,923 per access. 

Why the change? We chalk it up to the laws of supply and demand. In just this quarter, we noted 200 new IAB listings. This compares with 500 total listings for all of last year. If this were to continue throughout 2021, we’d be looking at an overall increase of over 60%. So it might be that criminals have increasingly noted the business opportunity in just selling access to organizations but have been met with more competition (and hence lower prices) in the market.

Remote Desktop Protocol Maintains its Popularity

Listings offering access through compromised Remote Desktop Protocol (RDP) dominated in the past quarter. Accounting for three-quarters of the total listings observed, RDPs confirmed their role as a primary choice for Initial Access Brokers to exploit unsecured channels. If you’re interested in knowing more about how Initial Access Brokers put their hands on RDPs, luckily for you, Digital Shadows (now ReliaQuest) recently published a blog titled Mapping MITRE ATT&CK To Compromised RDP Sales

RDPs’ Undisputed Kingdom for IABs
RDPs’ Undisputed Kingdom for IABs

The practice of selling RDP access is not a new trend, but it has increased over the past months due to heightened working from home practices. Additionally, RDPs represent the ideal low-risk, high-yield access vector, given that cybercriminals can quickly scan the internet to find public-facing, exposed RDPs that are vulnerable to Initial Access Brokers’ activity. Throughout Q1 2021, a single RDP access is auctioned on average for $481, another drastic decrease compared to 2020. 

Mitigation Techniques and Future Actions

This quarterly report highlighted a lowered average cost for the accesses being sold by these cybercriminals and a strong focus on RDPs. Whether this data will remain constant in Q2 or whether internal or external factors will affect their environment remains to be seen. This quarterly analysis of IABs’ listings additionally provided further insights into this cybercriminal category’s evolving landscape. Looking ahead, one of the most intriguing aspects of this phenomenon relates to the price and the variety of access types being used by IABs over the coming months. 

Monitoring its evolution over time and IABs’ preferred techniques can significantly help security professionals prioritize their efforts to reduce their attack surface and digital exposure. The wide variety of industries and countries targeted means that any company is at risk of being targeted by these cybercriminals. Additionally, IABs tend to pick their victims based on opportunistic calculations. This means that making yourself a difficult target for the least sophisticated actors is one of the best defense strategies against these cybercriminals. If you’re interested in specific mitigations for several access types, feel free to download our free Initial Access Brokers research report.

Having an in-house or out-sourced Cyber Threat Intelligence team monitoring the surface, deep, and dark web can go a long way in identifying relevant listings and observing access trends. If provided with timely, relevant, and actionable intelligence, defenders can prioritize security efforts toward the most significant threats. If you’d like to see your exposure and get access to a threat intelligence library of threat actors relevant to your industry and geography with suggested mitigations, get a demo request of SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) for free here.