Initial access brokers (IABs) are enablers of high-level cybercriminal activity. They identify weak points in their targets’ systems and networks, and sell these accesses to prospective attackers for profit. Essentially, doing the dirty work for other cybercriminals. They have become increasingly active, and are likely raking the profits in, big-time.
Why have we seen an increase in offerings?
It’d be hard not to mention ransomware. The dramatic rise of ransomware, coupled with easily accessible vulnerabilities, has likely resulted in a sharp increase in demand. IABs, sniffing an opportunity, provided the supply, and facilitated an unprecedented rise in ransomware attacks.
Working from home has been nice for some, and not for others. It has definitely been a win for IABs; workers need to access their content and workstations remotely now more than ever before. This is why we see IABs selling VPN and RDP access the most; these two offerings were listed on cybercriminal forums more in Q2 2021 than any other access type.
This shows us that IABs are adaptable, and will seek to profit from contextual changes. As the way we work changes, cybercriminals will be taking note. Decision-makers and stakeholders must be aware of this, if they’re to understand where threats are coming from and why.
Initial access brokers have had a demonstrable impact on the threat landscape. They’ve played a significant role in increasing ease of access for the cybercriminal community. A budding threat actor could purchase an exploit kit, or suite of malicious tools, purchase access from an IAB, and get straight to work. This lowering of the barrier to entry means that more threat actors are able to conduct their attacks, and means that more organizations can be susceptible to cyber attacks.
Why is it important?
The prevalence of IABs provides insight into understanding the cybercriminal ecosystem. This, in turn, can help us forecast threats and ascertain where defenses need to be bolstered. We’ve seen an increase in access types being offered; critical-severity vulnerabilities such as the 2020 Citrix flaws have actually become more widely sold over time. We observed a twofold increase in Citrix accesses being offered by IABs. This demonstrates the significance of vulnerability management; high-profile vulnerabilities that remain unpatched are providing IABs with everything they need to sell their accesses. Essentially, by mapping the IAB landscape, insights can be gleamed into how and where organizations are getting hit from.
The key takeaways are that IABs are exploiting weaknesses in organizations and selling these accesses in an increasingly professionalized environment. This will almost certainly continue. They can provide insights into which vulnerabilities are the most popular route in, and where organizations are most likely to be vulnerable. Understanding how and why IABs operate can help prevent a world of hurt.