In a report published today and shared with ZDNet, cyber-security firm KELA said it indexed 108 "network access" listings posted on popular hacking forums last month, collectively valued at a total asking price of around $505,000.
Of these, KELA said around a quarter of the listings were sold to other threat actors looking to attack the compromised companies.
The "initial access" market
These type of ads have been posted on hacking forums for years, but for the most part, they've been a niche in the "initial access" market, with most cybercrime groups opting to buy access to compromised networks via criminal marketplaces selling RDP access (called "RDP shops") or from malware botnet operators (known as Malware-as-a-Service, or "bot installs").
However, beginning with the summer of 2019, a large number of vulnerabilities in major networking products have been disclosed. This included vulnerabilities in Pulse Secure and Fortinet VPN servers, Citrix network gateways, Zoho computer fleet management systems, and many others.
Threat actors were quick to exploit these vulnerabilities, compromising devices en-masse. Many of these systems had to be monetized in some way or another.
While some "initial access brokers" partnered with ransomware gangs, many didn't have the deep connections and the needed reputation in a closed cybercrime economy to establish these partnerships from the get-go. Instead, these brokers began selling their compromised networks on popular hacking forums like XSS, Exploit, RAID, and others.
But networking devices were only a part of the listings on these forums.
Many brokers also sold access to compromised RDP or VNC endpoints. Most of these systems are compromised via brute-force attacks launched with IoT botnets, while others are bought from classic RDP shops, have their access expanded from user to admin levels, and then resold on forums at higher prices.
Some networks sold for tens of thousands of US dollars
Over the past year, these ads have been steadily increasing in frequency and the price for access to hacked networks.
Based on its monitoring, KELA said that the average price for a compromised network sold on hacker forums is around $4,960, with the price range going from as low as $25 to as much as $102,000.
KELA product manager Raveed Laeb said the price for a "network access" ad usually varies depending on factors such as the company value and the level of privilege.
Obviously, networks with a compromised admin account are valued more than networks where the compromised account only has regular user privileges. However, this doesn't seem to dissuade the seller, as some threat actors will only be looking for an initial foothold, having their own capabilities of escalating access.
In some cases, it's the initial access brokers doing the privilege escalation, with the perfect example being a seller who doubled their listing's price by gaining access to an admin account after posting an initial version of their ad.
Another interesting observation is that initial access brokers tend to use the "value" of a company rather than the size of its network when deciding on the price, citing statistics like annual revenue rather than the number of endpoints.
This illustrates that initial access brokers are often tailoring their ads for ransomware gangs, where a victim's annual revenue and profits are used to negotiate the ransom demand, rather than the size of the network, which is usually less significant as a well-placed ransomware attack can often cripple a company even without locking thousands of its computers.
KELA, which analyzed some of the highest-priced ads posted in September, said it found brokers peddling access to a major maritime and shipbuilding company (sold for $102,000), a Russian bank ($20,000), a Turkish aviation firm ($16,000), and a Canadian franchise company ($10,600), with access for this victim's network being sold in just a few hours.
A larger "initial access" market is hidden in the shadows
However, KELA says that hacking forums like the ones it's tracking only provide a summary view of the entire "initial access" market, which it's much, much larger.
Initial access brokers also operate in closed circles, such as private RDP shops, via encrypted communications with selected clients, or via Malware-as-a-Service platforms, such as malware botnets.
Tracking sales and victims via these mediums is impossible, but the glimpse security firms are getting by observing sales on public hacking forums shows just how lucrative this market can be and how easily a hacked RDP or networking equipment can find its way from the hands of a low-level attacker running some publicly-shared exploit to professional malware gangs operating ransomware or POS malware.