A fresh report has uncovered that hackers are currently selling accessibility to 576 different corporate networks around the world for four million dollars, fuelling cyberattack campaigns on global enterprises.
The new findings have originated from the Israel-based cyber-intelligence company KELA, which recently published its dedicated 2022 Q3 ransomware research report, reflecting activity within the field of initial access sales and a spike in the value of such offerings.
While the number of sales for initial network access remained approximately the same as recorded in Q1 and Q2, the cumulative price requested has now reached $4 million.
For example, the total value for initial access listings back in Q2 of 2022 was around $660,000, marking a fall in value aligned with the ransomware hiatus over the summer that damaged demand.
The path to ransomware attacks
Initial access brokers or IABs for short, are threat operators who sell access to enterprise networks. This is typically achieved via webshells, credential theft or through exploiting known vulnerabilities in hardware that has become publicly exposed.
After acquiring a toehold on the corporate network, the threat operators sell this initial access to other cybercriminals who use it in campaigns to steal confidential data, unleash ransomware, or perform a variety of other malicious activities.
As a rule, the main reasons that IABs select to not leverage network access are varied and include a lack of diverse intrusion abilities or preferring to avoid risks of increased trouble with the law.
In 2021, many initial access brokers got side-lined by big ransomware gangs. These larger organisations operating as crime syndicates created their own dedicated IAB departments, reducing the demand for independent operators. However, now in 2022, IABs are still performing a significant role in the ransomware attack chain.
IAB activity in Q3 of 2022
KELA’s threat analysts observed that in 2022’s third quarter, a total of 110 threat operators posted 576 initial access offerings totalling a cumulative value of $4 million. On average, the selling price for these insidious listings was around $2,800. However, KELA researchers also witnessed a case of a single access offering available for purchase at the staggering price of $3 million but were unable to confirm its legitimacy. For this reason, the product offering was excluded from the cybersecurity firm’s figures.
The three leading IABs operated as large-scale enterprises offering from 40 to 100 accesses for purchase 2022’s third quarter. Based on discussions in online hacking forums and listing removal events within the marketplace, the average time it takes to sell corporate access is about 1.6 days. Most of these accesses for sale were either Virtual Private Networks (VPN) or Remote Desktop Protocols (RDP).
The country that was the most targeted in the third quarter of this year was the United States, which accounted for 30.4 per cent of all IAB online offerings. This statistic is close to the 39.1 per cent share of ransomware attacks aimed at US enterprises for the same period. The most targeted sectors were manufacturing, technology and professional services.