A new report from cybersecurity company Intsights has spotlighted the thriving market on the dark web for network access that nets cybercriminals thousands of dollars.
Paul Prudhomme, cyber threat intelligence advisor at IntSights, examined network access sales on underground Russian and English-language forums before compiling a study on why criminals sell their network access and how criminals transfer their network access to buyers.
More than 37% of all victims in a sample of the data were based in North America while there was an average price of $9,640 and a median price of $3,000.
The study notes that the kind of access being offered continues to be used in ransomware attacks across the world. Dark web forums are enabling a decentralized system where less-skilled cybercriminals can rely on each other for different tasks, allowing most ransomware operators to simply buy access from others, according to Prudhomme.
The network access on offer ranges from the credentials of system administrators to remote access into a network. With millions still working from home due to the COVID-19 pandemic, the sale of network access has increased significantly over the last 18 months. Remote access is generally through RDP and VPNs.
In dark web forums and marketplaces, cybercriminals share access to a slate of malware, malicious tools, illicit infrastructure, and compromised data, accounts, and payment card details. Many of the most sophisticated forums and marketplaces are in Russian but there are also many English, Spanish, Portuguese and German-language forums.
Cybercriminals rarely have a full team of attackers experienced in each stage of an attack, making dark web forums ideal as they either sell what they've already stolen or search for malware payloads, hosting infrastructure and access to compromised networks.
"This factor is particularly applicable to compromises of specialized environments, such as those with operational technology (OT), industrial control systems (ICS), Supervisory Control and Data Acquisition (SCADA) systems, or other less common or less conventional technology that may be unfamiliar to many attackers," Prudhomme explained.
At times, attackers realize they have broken into a network with no data that can be stolen or sold and decide to sell access to ransomware groups.
The posts offering compromised network access include the victim, the form and level of access for sale, as well as the pricing and other transaction details. Sometimes the victims are identified by location, industry or sector and revenue information is often included.
The descriptions may also include the number and types of machines on it or the types of files and data that it contains. Often hackers will explicitly mention something as a potential ransomware target in ads.
Some access is sold as an auction while others are negotiated over time.
The most common features of these sales are RDP credentials and VPN credentials, both of which are being used considerably more due to the pandemic. Web shells are also used as persistence mechanisms that can be transferred.
"Elevated privileges are a common feature of these sales, but not a universal one. Many types of malware, including ransomware, need elevated privileges in order to run," Prudhomme said.
"Higher privileges can also enable attackers to create their own accounts or take other measures to use as additional persistence mechanisms, providing redundancy for the access that they purchased. Domain administrator credentials are a common component of these sales, in conjunction with a form of remote access. Some forms of remote access for sale may also come with their own elevated privileges."
Included in the study is a quantitative and qualitative analysis of a sample of 46 sales of network access on underground forums covered in alerts provided to IntSights customers from September 2019 to May 2021.
Among this selection, seven individuals accounted for more than half of the access points for sale, representing the larger trend of concentrated attacks by vendor-specific hackers.
Of the 46 samples, 40 named the location of victim organizations and nearly 40% were in the US or Canada.
Ten of the 46 victims were in the telecommunications industry while three other industries -- financial services, healthcare and pharmaceuticals, and energy and industrials -- tied for second place.
"Despite the relatively small number of retail and hospitality victims, the second-most expensive offering in this sample, with an asking price of approximately $66,000 USD worth of Bitcoin at the time, was for access to an organization supporting hundreds of retail and hospitality businesses," Prudhomme explained.
"The victim was a third-party operator of customer loyalty and rewards programs. The seller highlighted the various ways in which a buyer could monetize this access, including: review and manipulation of source code; access to the accounts and points of loyalty program members; and spam and phishing attacks, including ransomware campaigns against loyalty program members via legitimate communication channels."
Prudhomme noted that cybercriminals often go after airline frequent flier programs and similar customer loyalty programs because of the general lack of anti-fraud measures.
While $9,640 was the average price, IntSights researchers said most prices hovered around $3,000. Just ten of the prices surpassed $10,000 and most were for access to telecommunications or technology companies. Many offers were in the hundreds and the lowest offer was $240 for access to a healthcare company in Colombia.
The peak seen in the study was $95,000 for access to a large telecommunications service provider in Asia with over $1 billion in revenue.
The researchers urge organizations to patch systems, enable MFA and take other measures to close off potential access points.
"The amount of time that it takes to sell network access may give security teams more time to detect a breach before a buyer monetizes it or does anything else with it that could cause significant harm," the report said.
"The amount of time needed to find a buyer varies considerably, ranging from hours to months, but a time frame of days or weeks is more typical. If security teams discover an intruder who has had access for a significant period of time but has not yet begun to monetize it, e.g., by exfiltrating profitable files or deploying ransomware, then that delay could indicate that the initial intruder is still waiting for a buyer."