Initial network access is what gets malicious hackers inside an organization’s network. Threat actors who are selling it (known as “initial access brokers”) create a bridge between opportunistic campaigns and targeted attackers. In most cases, these are ransomware operators. KELA researchers successfully indexed 108 network access listings shared on popular hacking forums last month. The total value of the demanded price was above $500,000.
How do threat actors calculate the price of network access?
While analyzing the top 5 most expensive accesses and the TTPs of their sellers, the researchers created a hypothesis. They believe that the price depends on the victim’s revenue and the level of privileges that network access allows. For example, domain admin access can be from 25% to 100% more expensive than user access.
How does selling initial network access work?
By unfolding the supply chain further, the researchers saw that initial access brokers get their ready-to-sale entry point through three steps:
1. Finding an initial infection vector
As revealed by conversations on cybercrime forums, multiple possibilities exist that grant this access. Botnet infection, remote access protocols like RDP and VNC, and remote access software, shortly known as VPN, are among the top choices.
Turning the initial infection vector into a more comprehensive compromise
Based on the initial vector of compromise, initial access types vary. The most important task now is broadening both the access scope and the acquired privileges so that they are attractive to a potential buyer.
“This attractiveness is derived from the buyer’s operational objective, as different actors may have different demands from a potential network access,” the report notes.
With most buyers assumed to be ransomware operators or affiliates, it’s important to keep in mind that the network access scope doesn’t have to be ideal: it just needs to be good enough. A successful ransomware operation doesn’t necessarily have to lock thousands of endpoints in perfect unison – sometimes, locking a few key servers and extracting data from several others may be enough to monetize the access.
3. Deciding how access is supplied to a buyer
According to KELA, this step is s crucial as the other two: initial access brokers should create a sustainable entry channel for other cybercriminals.
As in usual business relations, some sellers are flexible and proceed from the needs of their customers: they can provide them the access suitable for their goals. That’s why some sellers tend to ask how a buyer will use access and accept only “experienced” customers, the report notes.
Long story short, once such access is in the buyers’ hands, it can turn into an entry point to an entire network. Attackers are now able to execute commands and deliver malware.
More details are available in KELA’s thorough analysis.