Initial Access Remains a Booming Business on the Dark Web

  • The activity of initial access brokers continues to grow, and so does the financial size of the operations.
  • The targeting covers the entire globe, and some listings are going as high as 7 BTC ($235,000).
  • In many cases, the actors prefer to trade their “goods” privately, away from prying eyes.

The prospering of the initial access market on the dark web continues unabated, and according to a report published by KELA yesterday, it has surpassed the size of $1.2 million in Q4 2020. The cyber-intelligence firm that uses specialized tools to monitor listings across numerous dark web sites has traced 242 new listings during that period, having an average price of $6,684 and a maximum of 7 BTC.

Most worryingly, the researchers confirm that the hackers are continually expanding the access types (VPN, webshells, RCE, RDP, RMM, ESX, Citrix/RDWeb, VMware) on offer, exploiting wider sets of vulnerabilities and moving laterally onto the compromised networks.

Source: KELA

Back in September, we reported about the status of the scene and the rising importance of initial access brokers in RaaS operations. From what appears to be the case now, the trend is still pointing upwards, and so does the value of the sales, which has risen by about 35% compared to the previous quarter. During Q4 2020, KELA was able to confirm at least 34 sales, with the most successful of them putting $35,000 in the seller’s pocket.

Source: KELA

However, that doesn’t mean that these numbers reflect the activity faithfully. As the report explains, many brokers prefer to trade access to compromised networks in private channels instead of putting them up for sale on dark web marketplaces. After all, some RaaS groups have stable collaborators and like to secure a constant supply by covering payments that correspond to an agreed amount of money.

This approach helps the seller stay hidden from white-hat researchers and the law enforcement authorities, so it is generally preferable - but only attainable for those who have established a network of contacts in that space.

Source: KELA

As for the demographics of the particular cyber-crime sector, almost half of all offers come from ten brokers, so not all actors are equally prolific. This also means that, depending on who takes time off and who’s active during a certain period of time, we see significant fluctuations in the overall activity and the supply of these listings.

Source: KELA

Some of the most notable and pricey examples that KELA cherry-picked include access to the following:

  1. A U.S.-based IT company through ConnectWise, 5 BTC
  2. Mexico’s National Insurance and Surety Commission, $100,000
  3. Texas government network, $35,000
  4. Panasonic India through VPN
  5. Europe-based oil & gas firm, 2 BTC
Source: KELA

In some cases that didn’t generate any buyer interest, the sellers lowered their prices or proceeded by planting ransomware onto the compromised network themselves. In Panasonic India, for example, the broker planted a ransomware payload, stole files, and asked for a ransom of $500,000. This means that access to networks is rarely wasted, and will result in a very troublesome infection sooner or later, one way or another.

Latest
How to Watch Welcome to Flatch Season 2 Online From Anywhere
Welcome to Flatch is landing a new season soon, and we are happy to tell you it's super easy to stream online,...
How to Watch CSI: Vegas Season 2 Online From Anywhere
There is great excitement among CSI fans worldwide as CSI: Vegas Season 2 is finally set to premiere soon. After the success...
How to Watch Hell’s Kitchen Season 21 Online From Anywhere
Are you ready to get back into Hell's Kitchen? Gordon Ramsay is returning for the 21st season on Fox, and we're eager...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari
[class^="wpforms-"]
[class^="wpforms-"]
[class^="wpforms-"]
[class^="wpforms-"]