- The activity of initial access brokers continues to grow, and so does the financial size of the operations.
- The targeting covers the entire globe, and some listings are going as high as 7 BTC ($235,000).
- In many cases, the actors prefer to trade their “goods” privately, away from prying eyes.
The prospering of the initial access market on the dark web continues unabated, and according to a report published by KELA yesterday, it has surpassed the size of $1.2 million in Q4 2020. The cyber-intelligence firm that uses specialized tools to monitor listings across numerous dark web sites has traced 242 new listings during that period, having an average price of $6,684 and a maximum of 7 BTC.
Most worryingly, the researchers confirm that the hackers are continually expanding the access types (VPN, webshells, RCE, RDP, RMM, ESX, Citrix/RDWeb, VMware) on offer, exploiting wider sets of vulnerabilities and moving laterally onto the compromised networks.
Back in September, we reported about the status of the scene and the rising importance of initial access brokers in RaaS operations. From what appears to be the case now, the trend is still pointing upwards, and so does the value of the sales, which has risen by about 35% compared to the previous quarter. During Q4 2020, KELA was able to confirm at least 34 sales, with the most successful of them putting $35,000 in the seller’s pocket.
However, that doesn’t mean that these numbers reflect the activity faithfully. As the report explains, many brokers prefer to trade access to compromised networks in private channels instead of putting them up for sale on dark web marketplaces. After all, some RaaS groups have stable collaborators and like to secure a constant supply by covering payments that correspond to an agreed amount of money.
This approach helps the seller stay hidden from white-hat researchers and the law enforcement authorities, so it is generally preferable - but only attainable for those who have established a network of contacts in that space.
As for the demographics of the particular cyber-crime sector, almost half of all offers come from ten brokers, so not all actors are equally prolific. This also means that, depending on who takes time off and who’s active during a certain period of time, we see significant fluctuations in the overall activity and the supply of these listings.
Some of the most notable and pricey examples that KELA cherry-picked include access to the following:
- A U.S.-based IT company through ConnectWise, 5 BTC
- Mexico’s National Insurance and Surety Commission, $100,000
- Texas government network, $35,000
- Panasonic India through VPN
- Europe-based oil & gas firm, 2 BTC
In some cases that didn’t generate any buyer interest, the sellers lowered their prices or proceeded by planting ransomware onto the compromised network themselves. In Panasonic India, for example, the broker planted a ransomware payload, stole files, and asked for a ransom of $500,000. This means that access to networks is rarely wasted, and will result in a very troublesome infection sooner or later, one way or another.