A growing class of cyber criminals are playing an important role on underground marketplaces by breaching corporate networks and selling access to the highest bidder to exploit however they please.
The buying and selling of stolen login credentials and other forms of remote access to networks has long been a part of the dark web ecosystem, but according to analysis by cybersecurity researchers at Digital Shadows, there's been a notable increase in listings by 'Initial Access Brokers' over the course of the past year.
These brokers work to hack into networks but, rather than making profit by conducting their own cyber campaigns, they'll act as a middleman, selling entry to networks on to other criminals, making money from the sales.
SEE: Cybersecurity: Let's get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic)
Access via Remote Desktop Protocol (RDP) is the most sought-after listing by cyber criminals. This can provide stealthy remote access to an entire corporate network because it can allow attackers to start from legitimate login credentials to remotely control a computer, so they are much less likely to arise suspicion of nefarious activity.
This demand – and the potential access it offers – is reflected in the price of listings, with an average selling price for access via RDP starting at $9,765. One likely conclusion is that the higher the price, the higher the number of machines the buyer would be able to access – providing more opportunity for exploitation.
This method of access is particularly popular among ransomware gangs, who can potentially make back what they pay for access many times over by issuing ransom demands of hundreds of thousands or even millions of dollars: $10,000 on initial access is almost nothing, if the target can be squeezed to pay a bitcoin ransom.
Expensive access listings are likely reflected in the quality of the target, Stefano De Blasi, threat researcher at Digital Shadows, told ZDNet, "for example, RDP access with admin privileges and access to sensitive data."
Selling RDP access isn't a new trend, but the rise in remote working over the past year has seen enterprises suddenly switch to using much more RDP access, providing cyber criminals with additional avenues of attack.
Often, it's relatively simple for the cyber criminals acting as access brokers to find insecure RDP connections with publicly available tools. And it's still common for RDP to be set up with easy-to-guess or default passwords. Ultimately, it's easy money for the seller to take these details and pass them on.
SEE: Phishing: These are the most common techniques used to attack your PC
Analysis of some of the most popular forums for selling RDP credentials found that education, healthcare, technology, industrial and telecommunications are the most popular targets. An organisation in any of these industries would be a potentially lucrative target for a ransomware attacker.
Cyber criminals will continue to exploit RDP as a means of breaching networks, so it's important that organisations have a strategy to ensure the security of remote access when it's required – that can be as simple as applying multi-factor authentication and avoiding the use of easily guessable passwords.
"In practice, the fundamentals of protecting information, such as one-time complex passwords and IT monitoring practices, can go a long way in thwarting most superficial attacks," said Blasi.