It’s hard to get very far in cyber threat intelligence without discussing ransomware. Actually, it’s almost impossible. Keeping with the hot trend, I wanted to explore one of the key players with a significant, but less notorious role in the ransomware attack chain.
Enter initial access brokers.
Who are initial access brokers and how do they work?
Ransomware developers demand a lot out of their affiliates; given the saturated nature of the RaaS market, prominence and notoriety are vital to success. The demand for affiliates to find victims quickly hinges on their success. The risk of being kicked out of the program has given initial access brokers the ability to flourish – someone needs to do the dirty work!
Initial access brokers attempt to gain network access to vulnerable organizations, likely identifying targets indiscriminately through publicly available scanning tools. Typically, advertised accesses encompass remote access through Remote Desktop Protocol (RDP) or a compromised Citrix gateway. RDP has proven to be a common attack vector within the ransomware landscape. For example, while attending the RSA conference in February 2020, FBI Special Agent Joel DeCapua stated that, “RDP is still 70-80% of the initial foothold that ransomware actors use.”
The below chart demonstrates the rise of initial access listings over the previous two years, with the largest increase seen in the last six months.
Once they find their way in, initial access brokers poke around the network, at times attempting to escalate privileges or move laterally to access more information. They manage and organize their access, tailoring it into a presentable product, and determine how much money they could get in the criminal market. At this point, our internal access broker visits their favorite criminal forum and creates a thread advertising the access with prices typically between USD 500 to 10,000. Listings are customer agnostic; the goal is to make money, so whoever wants to buy their access (e.g. nation-state APT, financially motivated groups, data brokers) can have it.
Once the access is acquired, the purchaser can conduct additional network reconnaissance and utilize the access for whatever they intend. A likely non-exhaustive list would encompass ransomware, espionage, flip it for more money, move laterally, escalate privileges, or live on the network inconspicuously, taking advantage of Living off the Land (LotL) methods.
The balance between advertising access and revealing your hand
Once the broker has gained access, and they are ready to list it, they’re faced with a dilemma. They can demonstrate the value of their access to gain more attention and likely increase interest, resulting in a higher auction outcome. However, this option could be problematic; if they give away too much information, security researchers may identify the victim and kill the access, ruining their hard work.
What’s a broker to do? (WARNING: Jurassic Park reference incoming) In Dr. Ian Malcom’s repurposed words, criminals always find a way.
Zoominfo is a site that maintains business-to-business (B2B) information on organizations globally. Most importantly, the details collected by Zoominfo includes company revenue and employee counts. To better advertise their listings without giving away the company’s name, initial access brokers can leverage these details; some even go as far as referencing Zoominfo in their listings.
Alas, our broker can describe their victim organizations with their employee count and revenue amount and not tip off their victim. Organizations with higher revenue and higher employee size would obviously garner more attention; a successful ransomware infection of an organization with a considerable revenue will prove more lucrative.
Using Shadow Search to find new accesses.
Coming full circle, the question is: How can an organization operationalize this information? Ideally, with this information in hand, organizations can stop a ransomware infection at a critical point in the attack chain – where the broker advertises their access.
Digital Shadows (now ReliaQuest)’ Shadow Search enables organizations to identify these listings across various criminal forums, including the most prominent ones, such as Exploit and XSS. More importantly, saved queries can have custom alerting functions that may tip an organization off when an access listing may be related to them or a supplier.
This is done by leveraging a Shadow Search query that looks for criminal forum posts mentioning relevant predetermined information:
This can be specific to the exact employee and revenue size:
type=[Forum posts] (“access” OR “доступ”) AND (“30 million” AND “150”)
Or broad to a sector or geography:
type=[Forum posts] (“access” OR “доступ”) AND (“US” AND “logistics”)
Although not a guaranteed solution to ransomware, given the current prevalence of ransomware, any opportunity to thwart a possible attack is worth a shot.
Interested in learning more about our monitoring capabilities and how we can help your organization’s digital risk? Try out Digital Shadows (now ReliaQuest)’ Test Drive.