Initial Access Remains a Booming Business on the Dark Web

  • The activity of initial access brokers continues to grow, and so does the financial size of the operations.
  • The targeting covers the entire globe, and some listings are going as high as 7 BTC ($235,000).
  • In many cases, the actors prefer to trade their “goods” privately, away from prying eyes.

The prospering of the initial access market on the dark web continues unabated, and according to a report published by KELA yesterday, it has surpassed the size of $1.2 million in Q4 2020. The cyber-intelligence firm that uses specialized tools to monitor listings across numerous dark web sites has traced 242 new listings during that period, having an average price of $6,684 and a maximum of 7 BTC.

Most worryingly, the researchers confirm that the hackers are continually expanding the access types (VPN, webshells, RCE, RDP, RMM, ESX, Citrix/RDWeb, VMware) on offer, exploiting wider sets of vulnerabilities and moving laterally onto the compromised networks.

Source: KELA

Back in September, we reported about the status of the scene and the rising importance of initial access brokers in RaaS operations. From what appears to be the case now, the trend is still pointing upwards, and so does the value of the sales, which has risen by about 35% compared to the previous quarter. During Q4 2020, KELA was able to confirm at least 34 sales, with the most successful of them putting $35,000 in the seller’s pocket.

Source: KELA

However, that doesn’t mean that these numbers reflect the activity faithfully. As the report explains, many brokers prefer to trade access to compromised networks in private channels instead of putting them up for sale on dark web marketplaces. After all, some RaaS groups have stable collaborators and like to secure a constant supply by covering payments that correspond to an agreed amount of money.

This approach helps the seller stay hidden from white-hat researchers and the law enforcement authorities, so it is generally preferable – but only attainable for those who have established a network of contacts in that space.

Source: KELA

As for the demographics of the particular cyber-crime sector, almost half of all offers come from ten brokers, so not all actors are equally prolific. This also means that, depending on who takes time off and who’s active during a certain period of time, we see significant fluctuations in the overall activity and the supply of these listings.

Source: KELA

Some of the most notable and pricey examples that KELA cherry-picked include access to the following:

  1. A U.S.-based IT company through ConnectWise, 5 BTC
  2. Mexico’s National Insurance and Surety Commission, $100,000
  3. Texas government network, $35,000
  4. Panasonic India through VPN
  5. Europe-based oil & gas firm, 2 BTC
Source: KELA

In some cases that didn’t generate any buyer interest, the sellers lowered their prices or proceeded by planting ransomware onto the compromised network themselves. In Panasonic India, for example, the broker planted a ransomware payload, stole files, and asked for a ransom of $500,000. This means that access to networks is rarely wasted, and will result in a very troublesome infection sooner or later, one way or another.



Indian Banks and Finance Companies Targeted by Multi-Staged JSOutProx RAT Malware

Indian banks and financial institutions are being targeted by a multi-tier JSOutProx RAT that acts in two stages.The malware uses spear-phishing emails...

Mega Deletes 144,000+ User Accounts for Repeated Copyright Infringement

Mega has changed its policies and terminated over 144,000 accounts for repeated copyright infringement violations.The company says flagged data is taken down...

YouTube Creators Targeted With Phishing Scams Based on Cookie Theft Malware

Google discoverd a new Cookie Theft-based phishing scam that targeted channels belonging to YouTube creators.Actors were sending phishing emails and hijacking channels...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari