Share this article on:
We sat down with Rapid7’s senior director of threat analytics to unpack how initial access brokers operate and their place in the cyber crime ecosystem.
While it’s ransomware gangs that tend to make the news, they’re just one part of the cyber criminal landscape, and they often rely on the services of what are called “initial access brokers” – hackers who have successfully gotten inside a network and are now selling that access on.
Posts by such brokers are common on hacking forums, particularly Russian-language forums.
They’re difficult to report on in the same way as other forms of cyber crime, because – as a rule – initial access brokers don’t advertise what company they’ve penetrated. For instance, one broker on a Russian language forum offered access to an Australian grocery company on 31 July.
The post was headed “VPN FortiGate 2 Access Australia 12-17kk”. This outlines the company’s firewall, location, and its yearly revenue, in this case, between $12.6 million and $17.5 million, which was likely scraped from B2B database ZoomInfo.
The rest of the post goes into more detail, listing the company’s industry and the nature of the access being sold.
“To each of the VPN accesses, there is access to the RDP network: Local Admin and Domain User,” the post, made by a hacker posting under the name Professorkliq, said.
The post also listed pricing details in the usual format for such posts:
Start: $200
Step: $100
Blitz: $800
This means the bidding starts at US$200, and increases by bids of US$100. Alternatively, if someone wants to buy access outright, it will cost US$800.
Professorkliq has made four such posts since first appearing on the scene in April. The other three victims are American organisations. And, of course, he’s just one of many initial access brokers selling access to organisations around the world.
RAMPing up attacks
And that’s just on the forums that we have some invisibility, too. One of the most influential forums, however, is called RAMP, which stands for Ransomware and Advanced Malware Protection. This is also one of the most exclusive, with a US$500 membership fee alongside a yearly charge of US$120, but it also has more than 14,000 registered members, speaking predominantly Russian, Chinese, and English.
Christiaan Beek, senior director of threat analytics at Rapid7, recently analysed months of posts on the RAMP forum to help understand the role access brokers play and how their business model works.
“The whole business model for our ransomware groups has changed,” Beek told Cyber Daily.
“Normally, if you asked this question a few years ago, I’d say, ‘Yeah, ransomware groups were doing everything in-house themselves. But now it’s more like a dynamic, surface-oriented model where [ransomware gangs] are buying this stuff.”
According to Beek, initial access brokers are always on the lookout for newly announced vulnerabilities that may give them access to sell on. They’ll examine each new vulnerability to see how easily and quickly it can be exploited, and then act.
“Then they immediately start to attack companies with that vulnerability – especially if you look at some of the edge devices, which is a trend we saw already happening in the last year. But especially think about the gateways, security products, VPNs – stuff that’s highly targeted, Beek said.
The brokers are particularly adept at targeting organisations that don’t have any kind of multifactor authentication enabled. They’re highly opportunistic and operate with a very small footprint – they’re not doing anything on the network other than gaining access before selling that on.
“If you think in military terms, they build a beachhead. They have to establish a beachhead, and then stay silent,” Beek said.
“Then, they either already have relationships with ransomware groups where they say, ‘Hey, we have access to this particular victim’. And the funny thing is they also did their homework. So they go to these financial sites, they check the revenue of this company, and you see it back in the advertisements.”
The level of revenue of a company, its staffing, its industry, the level of recon performed by the broker, all influence the price that access is sold for.
“If they give you VPN access at an admin level, that’s the highest price they can ask, especially if the company makes a lot of revenue. If you’re logging in over VPN and it’s a successful login, probably nobody will notice that; it’s lost in the noise of so many people logging in,” Beek said.
That said, some ransomware gangs are still keeping everything in-house and actively looking to recruit initial access specialists.
“One of the new groups, we see that they want to do everything back in-house, so they’re asking for hackers that can support that access. Some of these crews are specifically recruiting for these kinds of people,” Beek said.
“And what you notice as well, is they’re asking for people with knowledge of VMware or VMware ESXi, the virtual environment, because that’s also a big target.”
Picking the victims
Beek also said he’d seen a change in victimology in recent times. Ransomware gangs would often look for bigger targets – with presumably more money to spend on ransoms – in the past, but now they’re looking for targets in the middle range, and more of them. At the same time, many operators are now ditching self-imposed bans on targeting victims in industries such as healthcare.
As to the time it takes between gaining that initial access, selling it, and then seeing that access exploited, the whole process can be remarkably fast.
“It ranges from weeks to days. I’ve seen one where a recent vulnerability was being used by the access brokers – they gained access, and we saw that this was being sold on RAMP within a day,” Beek said.
“Actually, because of the description of that particular access, I had a big hunch of what the victim could be. And then suddenly we saw on the leak post, this particular company was breached.
“It was really, like, within four or five days.”
You can read more about brokers and the ransomware ecosystem they support in Rapid7’s Ransomware Radar Report.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.