Network defenders are often tasked with piecing together the succession of events that enabled an attacker to access the network. To do so, they would need to ask specific questions: How did the attackers get in? What did they do in order to enter the network? What actions did they take once inside the network that allowed them to increase their access level? These are common questions incident responders need to try and answer.
Seeking the answers to these used to be relatively simple: “An employee opened a malicious email” was a common answer to the first entry question, for example. Unfortunately, finding answers is not as straightforward these days since modern criminals have upped their game considerably. Nowadays, that question often goes unanswered.
There is a new thriving business model in underground forums where so-called access brokers sell breached credentials or direct access to corporations everywhere to other criminals. Ransomware attackers, for instance, might not need to exploit a vulnerability or spam infectious emails to gain initial access — now they can just buy their way in.
Access brokers now offer what we call access as a service. These criminals provide other malicious actors a way into corporate networks for a price, paving the way for the actual damaging attacks. The existence of this new underground marketplace is the source of the disconnect between an initial corporate breach and the subsequent attacks that follow days or even months after.
Even though we call it “as a service,” this is not an actual service wherein the criminals continue to provide the service after it is sold: Rather, it is something that the seller sells and then forgets. What is provided is actually more akin to a digital product. The term “as a service,” therefore, comes from comparing this new model to other similar offerings, such as “ransomware as a service” (RaaS).
Access brokers in the criminal underground often advertise this service like it’s a cinema ticket: Somebody buys this ticket, and they get straight in. In reality, however, things are a bit different. For example, what exactly do customers get in exchange for their money? Sometimes, it’s access to a web shell or a similar straightforward method of getting a command prompt into the compromised network. More often than not, however, it’s just a set of credentials and a virtual private network (VPN) server to connect to.
This also allows the seller to establish trust with the buyer from the very beginning, since it’s just a matter of logging into the network on a shared remote session and showing proof of having access to network resources. This would be the equivalent of walking with the customer into the compromised premises and showing them the interiors as proof that the stolen keys are real, like a twisted digital version of a real estate broker.
In addition to examining the service itself, we also delve deeper into the business plan of ransomware operators using these kinds of offerings. Ransomware is often connected to access as a service because this criminal offering has enabled ransomware to reach new heights of infection. Ransomware is also the most commonly deployed payload once attackers finally make it inside a targeted network, thus making this class of malware worth exploring to understand how modern malicious actors get inside the network.
Where do the credentials come from?
Access brokers source the credentials they sell from many different places. Often, when they peddle their wares on criminal forums, access brokers plainly state where the credentials come from. These credentials can be in the public domain, can come from exchanges done with other attackers, from vulnerability exploitation, or from other attacks. It’s worth noting that the access brokers could have performed these attacks themselves, or they could have purchased these credentials from other malicious actors.
One of the main services that access brokers provide is credential validation. Regardless of the source of these credentials, legitimate access brokers always try to check if username and password pairs work by either trying them manually or using specialized scripts that can do this at scale. When validating credentials from a breach, access brokers often try to validate them both on the breached site and the corporate or official site. For example, in a breach involving the theoretical website socialmedia.com, the credentials of a hypothetical employee, firstname.lastname@example.org, are out in the open. Access sellers will then check if these credentials are valid on both socialmedia.com and on corporation.com.
The following sections discuss the most frequent sources of stolen credentials. It should be noted, however, that there might be other sources that we do not know about. In the following subsections, we discuss the sources of stolen credentials that we have observed so far.
Setting up shop
Just like other business operators, access brokers need reliable ways for them to market their offerings. During our research, we identified a few access broker profiles. Whenever we see one of these sellers, they usually fit in one of the following groups:
- Opportunistic sellers tend to offer one-off access, typically advertising their offerings in criminal web-based forums.
- Dedicated brokers, on the other hand, have access to an array of different companies that they advertise in wider underground networks. They also reach out directly to common associates who act as affiliates.
- Online shops comprise a group of sellers who offer a variety of criminal data. These dedicated shops are not pre-analyzed and only guarantee access to a single machine, not a network or a corporation.
In the next subsections, we discuss these three types of access brokers further.
Access-as-a-service underground market analysis
We explored over 900 access broker listings being offered for sale from January to August 2021 on multiple English- and Russian language-based underground cybercriminal forums. We did not see any significant price differences between English- and Russian-language forums. From January to August, we observed that 43% of all the advertisements for access brokers targeted businesses in the European region, followed by North America with 24% and Asia 14%.
Figure 11. Access as a service offerings by region during the last eight months
RDP- and VPN-based access was the most common product being offered. After looking at over a thousand advertisements, we noted that 36% offered access to colleges, universities, and K-12 schools, followed by 11% that offered access to manufacturing and professional services.
According to “The State of K-12 Cybersecurity: 2020 Year in Review,” in 2020, the US had a record-breaking number of data breaches targeting the education sector. When the pandemic started, remote learning became mandatory for several months, and many companies were forced to implement work-from-home (WFH) setups with little to no preparation on the security side.
Schools are an ideal target because they present a gold mine of personal information such as financial data, medical records, and Social Security numbers, all of which can be sold on cybercriminal forums or held for ransom. Another possible factor is that schools and universities generally have limited security budgets and they tend to be more open and less tightly controlled than corporations.
Ransomware threats disrupted these industries significantly in 2020 and this was, in no small part, due to access as a service becoming more available in the underground. These ransomware attacks resulted in substantial losses in production and also disrupted operations. In one of the case studies that we examine in this research, we show how access brokers work with ransomware groups to facilitate these attacks.
Figure 12. Sales offerings by industry during the last eight months
The top affected countries included the United States, Spain, Germany, France, and the United Kingdom. For Germany, the top two industries that had access sold in the underground were manufacturing with 28% and education with 26%. Meanwhile, sales offerings for France were largely in the educational sector with 33%. In the USA, 50% of the offerings targeted schools and universities, with professional services following at a distant 12%.
Figure 13. Sales offering by industry for the US
Figure 14. Sales offerings by industry for the UK
Figure 15. Sales offering by industry for Germany
Figure 16. Sales offerings by industry for France
Figure 17. Sales offerings by industry for Spain
Figure 18. RDP offerings from France, Germany, and UK
Figure 19. A ransomware operator looking for partners after obtaining access to several German companies
Figure 20. A malicious actor selling access to an energy company located in Germany
Figure 21. USA RDP access for sale
In the previous section on RDP and VPN shops, we quoted the prices for access to individual machines as ranging from US$5 to US$10. In this section, we discuss the pricing for access to the systems of whole organizations. These types of offerings typically involve higher levels of access that allow an intruder to gain admittance to more resources, suggesting a level of work that the hacker already performed beforehand in order to allow access. As a result, the prices for these products are higher.
Pricing depends on the following: what the access broker is advertising, the type of access, and the annual revenue of a company. Most dedicated access brokers will not publicly disclose their prices but will advertise the type of company, annual revenue, and access levels instead. Business is always done through private or direct messages.
Annual revenue is important to potential ransomware clients as this would help determine if the victim can afford the ransom. This information is gathered through websites such as ZoomInfo, which provides financial data on companies.
For brokers that do list prices, we found that the average price for access to a business with admin credentials is at US$8,500; however, prices can reach up to US$100,000. It’s worth noting that prices in the upper range can certainly be negotiable. In an English-language forum, we found one example of an offering for access to an oil company with US$64 billion in revenue. The threat actor behind the offering was asking for US$10,000 in exchange for access to the system. Normally, access brokers tend to demand higher prices for access to energy and financial companies, as compared to companies in other businesses, the former garners larger revenue.
As a result, ransomware operators can demand a higher ransom amount from these companies, and threat actors can sell the vast quantities of personally identifiable information (PII) found in the databases of these companies separately, starting at US$200. One example is the data of an electronic audio company in Singapore being sold for US$1,500.
Figure 22. An advertisement for a database of an audio electronics company. The price is advertised at US$1,500.
Figure 23. An advertisement in an English-language form for admin access to oil, nuclear, and petroleum companies. The price ranges from US$3,000 to US$10,000.
VPN access does not require as much money as admin offerings since the market is flooded with a greater number of VPN choices, which lowers the overall price, especially considering that dedicated VPN shops also exist. One example we found was for access to a US-based clinic that was being sold for US$3,000 on a Russian-language forum. Another entry we saw involved VPN access to a marketing company with revenues of US$27 million a year being peddled for US$800. VPN access to a metal construction company based in Malaysia with a US$5 million annual revenue, on the other hand, was being sold for US$300.
In general, products that allow for an initial foothold into the target company tend to be cheaper than a domain admin or other more powerful ways to access the network. Simply put, the less work a buyer needs to do, the more expensive an offering is.
Figure 24. An advertisement in a Russian-language forum selling access to a US-based clinic
In this section, we discuss three case studies that illustrate some of the seller profiles discussed previously. Since these are stories of real companies that have been victimized, we have masked their identities to protect their privacy.
Ransomware and access as a service
Even though ransomware is not the only criminal payload that follows an intrusion, it is probably the most common one and the one most readers are likely concerned about. We elaborate on other payloads in our research, “The Life Cycle of a Compromised (Cloud) Server.”
Most of the time, it is access brokers who bear the burden of the network breach that allows a ransomware attack to succeed. Even though ransomware still has by far the most visible impact during such a breach, the enablers of those attacks are usually the ones that quietly break and then sell access to other malicious actors.
Usually, profits from ransom payments tend to be divided into 80% for the ransomware group and 20% for whoever provided them the way in. We estimate that most of the time, ransomware attacks succeed because someone provided the ransomware group access to the target network, whether this someone is an access seller or a single hacker, as in the case study we previously discussed.
On a side note, in the affiliate model, the splits are reversed: The ransomware group receives 20%, and the affiliate receives 80%. In this model, the affiliates are expected to do the ransom negotiation; therefore, the payout is higher for them. Obviously, ransomware groups prefer the current access model that is becoming prevalent in the cybercriminal underground.
Because the ransomware payload is the most visible part of the attack, defenders tend to focus primarily on this. Consequently, most security discussions focus on ransomware attacks instead of on monitoring and mitigating the actions of access brokers. The same can be said regarding the media attention that ransomware groups regularly garner in contrast to access brokers.
|Visibility to victim||90%||10%|
|Responsibility over attack||20%||80%|
Figure 32. An estimate of the division between ransomware groups and access brokers for profits, media attention, visibility to the victim, and responsibility over the attack
Recommended defense strategies
Defenders have typically focused their attention on preventing and mitigating the effects that attackers have on their networks, with ransomware having quite a large consideration. Although usually, security best practices such as having effective backup capabilities, monitoring mass-encryption attempts, monitoring malicious emails, and shielding users from their effects are excellent preventive measures, network defenders are not limited to these steps.
In this section, we propose additional steps that cybersecurity staff and network defenders can take in order to counteract the changes in attacker behavior we have previously outlined. These are all aimed at detecting and preventing the initial breach that allows a subsequent ransomware attack.
- First, monitor for public breaches (if you are not doing so already). This means looking at password breaches whenever they are made public. In addition, it would be helpful to monitor the criminal underground, and to regularly look for signs of a breach on your network. Any offer of access to your network should immediately raise red flags. If you do not have resources to do this monitoring yourself, consider purchasing such a service from a dedicated security provider.
- If you suspect that some of your credentials are out in the open, trigger a password reset for all your users. Consider resetting the credentials of your system and service accounts as well.
- Strongly consider setting up a two-factor authentication (2FA) system for your remote users, if you have not yet done so. This will go a long way toward preventing attackers from accessing your network via leaked credentials.
- After an attack, allow your incident response (IR) team to factor in the very common multi-attacker scenario that we explained previously. Modern attacks happen in two or more stages, where the initial attackers are responsible for setting up and maintaining external access, after which they will sell the access to other threat actors who will perform the real attack. These separate attack points are different with respect to their timing and modi operandi. Keeping this in mind can change the way IR teams set up their investigations.
- Monitor user behavior by looking for things that users should not be doing. Credential dumping, network scanning, and other unusual activities should raise red flags that any Security Information and Event Management (SIEM) or managed detection and response (MDR) product should be able to pick up. Monitor your SIEM/MDR logs and set alerts. If you do not have these kinds of products, consider acquiring them in order to increase your visibility across the network.
- Keep a watchful eye on your DMZ. Assume that your internet-facing services (VPN, webmail, web servers, among others) are under constant attack in a hostile environment. These are the most important machines to keep fully patched. Regularly rotate passwords, keep installations to an absolute minimum, and enable 2FA. Also, it is safer to assume that these machines are compromised at all times and that, therefore, all inbound connections from them are also potentially malicious.
- Implement network segmentation and microsegmentation to hinder lateral movement and support security monitoring. Organizations can benefit from segmenting office and server networks to effectively limit an attacker’s scope of compromise. This can be done by microsegmenting information systems, using properly defended management networks to protect underlying administrative interfaces on network infrastructure, and employing virtualization and cloud infrastructures.
- Consider using standard best practices on password policies. Organizations such as the National Institute of Standards and Technology (NIST) in the US and the European Union Agency for Cybersecurity (ENISA) in Europe have updated guidelines on this topic that are worth looking at, if you haven’t already. In particular, we recommend their collection of updated password guidelines as compiled on GitHub.
- If you are especially cautious, assume your users have already lost their passwords to criminals and therefore, you have been breached already and are always exposed. This would then force you to implement a form of zero trust architecture and security posture across your network.
The criminal underground is a dynamic marketplace where the attackers usually acquire the resources to put into practice their criminal business plans and operations. Criminals can buy or license their malware of choice, hire experts to disseminate it, and ultimately profit by selling whatever the attack produced — and typically, attacks produce stolen data.
Until recently, it was common for skilled attackers to buy exploits or vulnerabilities in the criminal underground to try and enter corporate networks. Nowadays, access as a service offerings have simplified attackers’ lives by selling direct access to target networks. This allows attackers to get straight in and allows them to focus more on lateral movement and privilege escalation. Attackers can now spend more time inside the network finding the servers that hold the most interesting data.
Ultimately, the final result is that attacks get into the network sooner and more easily but develop across a longer timeframe. More importantly, this change in attacker behavior needs to be considered when defenders plan their strategy. Monitoring the network for signs of intrusion should focus both on vulnerabilities at the perimeter and on users trying to move laterally within the network and trying to gain increased access to resources. A good defense strategy needs a holistic solution that can look at these two aspects while also factoring in the extended timeframe needed when looking at SIEM and MDR software logs.
Defenders have a finite number of resources at their disposal, and they need to invest those resources in the most efficient security solutions. We suggest that defenders monitor and prevent illegitimate access to their networks as a viable, effective, and in some ways, more reliable. method of stopping ransomware and other attacks.
- Access as a service is a recent and more professionalized criminal business model that is based on selling access to networks. From a cybercriminal’s perspective, buying access to a network requires less trust and is cheaper than buying an exploit.
- The access as a service market is rising in prominence while the exploit market is shrinking and becoming more specialized. We elaborate on this topic in our paper, “The Rise and Imminent Fall of the N-Day Exploit Market in the Cybercriminal Underground.”
- If a company can protect themselves from credential theft, they’d be in a much better position to defend themselves against any future breaches.
- The consequences of this shift in attacker behavior cannot be ignored. Adjusting our defenses is key if we want to be successful at keeping these new attackers at bay.