Initial Access Brokers (IABs) are capitalising on the demand for access into systems by ransomware groups and other malicious actors.
The growing presence of IABs demonstrates the specialisation that naturally occurs in most industries as they mature. Their motivation is financial gain, and they aim for targets with the means to pay large ransoms and who cannot afford any down time in their systems. IAB marketing takes place mainly within members-only forums such as XSS and Exploit, probably because they are looking for serious buyers only.
Having established the tactics, techniques and procedures (TTPs) for gaining access, IABs advertise the sale of ‘domain access’, ‘network access’ or similar on several forums, usually describing the target by sector, country, and revenue size. Prices can vary widely, depending on the level of access being sold (from users to domain administrators), company size or revenue, and business sector. Although much has already been published about $7100 being the average price, at Threat Essentials we’ve seen asking prices as low as $300, placing these within reach of even the budget-constrained actors.
Through our threat intelligence platform, we’ve seen IABs sell access to the same systems on different forums under different names. They do this possibly to attract more customers and claims of exclusive access are not always accurate. Consequently, multiple attackers may access the same target, using the same TTPs purchased on different sites. We can see patterns of behaviour like this through the powerful and highly customisable query function of our threat intelligence platform.
By monitoring dark web conversations, we understand that IABs often opportunistically hunt for access by using automated Common Vulnerabilities and Exposures (CVE) scanning tools, followed up with the application of public exploits. Our platform detects forum posts advertising these tools and exploits, enabling us to track their popularity.
What we recommend
As the IAB market is increasingly active, you should monitor their activities using the unique Threat Essentials intelligence platform, for early warning signs that access to your systems is on sale. This will empower you to proactively defend your organisation before access is sold to attackers, effectively neutralising their TTPs.
To find out more about how Threat Essentials can support your cyber defences, get in touch with a Threat Essentials analyst at firstname.lastname@example.org