Initial Access Brokers Pivotal in Organized Cybercrime

Introduction

A successful cyber-attack by any of the ransomware, data extortion, Advanced Persistent Threat (APT) groups, and other sophisticated cybercriminals is typically preceded by an initial compromise into the victim’s enterprise network.

The massive rise in ransomware attacks and organized cybercrime activities suggests that cybercriminals sell initial access on the underground forums. This is one of the third-party resource systems utilized by sophisticated cybercriminals to purchase and further leverage unauthorized access.

“According to the MITRE ATT&CK® threat intelligence framework, the Initial Access tactics comprises a set of techniques that are leveraged by threat actors to gain an initial foothold within a targeted network.”

What are Initial Access Brokers (IABs)?

Initial Access Brokers are financially motivated Threat Actors (TAs) that obtain access to enterprises by leveraging various tactics. They subsequently sell them to Ransomware-as-a-Service (RaaS) operators, APT groups, and other nefarious cybercriminals on the cybercrime forums, thus giving them a larger attack surface to target. This, in turn, allows them to steal data and deploy ransomware or malware without worrying about leaving footprints in the network during the initial intrusion.

Tactics, Techniques, and Procedures

Threat Actors or cybercriminals have been observed employing various Tactics, Techniques, and Procedures (TTPs) to gain initial access to the targeted networks. Our research identified the following major techniques that were leveraged in the recent past by the Initial Access Brokers active on underground forums:

“Valid Accounts” and “External Remote Services” Techniques:

According to MITRE ATT&CK® threat intelligence framework, the “Valid Accounts (T1078)” and “External Remote Services (T1133)” techniques, were two among several Initial Access tactics where the threat actors or access brokers illegitimately obtain access to the Active Directory, Virtual Private Network (VPN), Outlook Web Access (OWA), Remote Desktop Protocol (RDP), Citrix and similar virtualization technology accounts used by enterprises.

The threat actors may then compromise the external-facing remote services to gain access to the enterprise’s infrastructure. Services like VPNs, Citrix, and other remote access mechanisms allow corporate users to connect to internal network resources from an external network.

“Phishing” Techniques:

In spear phishing, threat actors target a specific individual, company, or industry. Typically, adversaries can conduct non-targeted phishing, such as mass malware spam campaigns.

According to the MITRE ATT&CK® threat intelligence framework, the “Phishing (T1566)” Techniques among the Initial Access tactics are employed by the threat actors to send victims emails containing malicious attachments or links, typically to execute malicious payloads on victim systems. Phishing may also be conducted via third-party services, such as social media platforms, and may involve social engineering techniques, such as posing as a trusted source.

A summary of other techniques that we observed the threat actor leveraging to obtain Initial Access are:

• Corporate account logins captured in stealer malware logs.
• Exploits leveraging vulnerable access control misconfiguration.
• Large-scale scanning to identify open ports for connections.
• Brute forcing techniques target the access points that are exposed to the web.
• Remote Code Execution (RCE) vulnerabilities targeting RDP, VPN, Citrix, and other virtualization Clients.
• Insider threat leveraging or selling their access to further devise attacks.

Notable initial access activity

In Q2 of 2022, Cyble Research Labs observed and investigated over 150 advertisement threads for sale and purchase of initial access by Threat Actors (TAs) on various underground forums. A few examples are:

• A TA auctioned the domain administrator account on a major cybercrime forum, allegedly belonging to an undisclosed Italy-based oil refinery worth USD 245 Million. The TA has consistently tried to sell various organizations’ unauthorized accesses on this forum.

• An auctioning advertisement related to the Citrix user account of a global insurance provider with a revenue of USD 5 Billion was posted on an active cybercrime forum.

• We identified another TA selling Microsoft Azure account with administrative privileges of BFSI company worth USD 32 Billion based in the US.

• Further, a TA was observed sharing a database allegedly consisting of a million datasets of corporate email and passwords. The database comprised corporate credentials from various industries, including Information Technology, Banking, and Finance. The TA has been a long-standing member of this prominent cybercrime forum and offers subscription-based services to sell email passwords targeting various enterprises.

• On another thread, a TA claimed to be a group of penetration testers and sought to purchase initial access to the Virtual Private Networks (VPN), Remote Desktop Protocol (RDP) accounts, and bots to exploit these accesses. Since initial accesses have become a lucrative monetary source for newcomers in the cybercrime community, we are increasingly observing TAs with no prior track record trying to buy access tools to reduce their efforts to exploit enterprise infrastructure.

• A TA offered to sell a local administrator account in a domain allegedly belonging to an undisclosed U.S.-based banking organization with a USD 600 million revenue.

Initial Accesses sold in Cybercrime Forums; Possibly leveraged for recent Ransomware Attacks

We have summarized our observations on recent, possibly-related incidents below:

• On April 14, 2022, Cyble Research Labs identified a Threat Actor (TA) on a Russian cybercrime forum, allegedly offering to sell unauthorized access to an undisclosed Indian organization with a revenue of USD 734 Million. Information from the source led us to identify that the possibly impacted organization was India-based heavy equipment manufacturing company.

On June 25, 2022, the online media platform the420.in published news suggesting that the organization mentioned above was reportedly targeted in a ransomware attack. The ransomware group behind the attack remains unidentified. Based on the attack timeline, we believe that the initial access sold by the TA mentioned above could have been leveraged as the primary attack vector to launch the reported ransomware attack.

• In another instance, on June 13, 2022, another TA on a cybercrime forum offered to sell access to multiple organizations. Our source had identified one of the possibly impacted organizations as a Middle Eastern flag airline.

On June 20, 2022, the LockBit 2.0 ransomware group claimed to compromise the same Middle Eastern flag airline and published their data on their website on June 27, 2022. While initial speculations suggested that the ransomware attack might have originated from the initial access sold by the TA on June 13, 2022. In this case, we did not find solid evidence suggesting that the two incidents were related.

• It is worth mentioning that the ransomware groups are highly active on cybercrime forums and frequently liaise with the Initial Access Brokers (IABs) to purchase unauthorized access. The following screenshot illustrates a reaction posted by the LockBit 2.0 support account on an advertisement offer posted by an IAB on a Russian cybercrime forum.

Countermeasures

Enterprises may implement the following measures to counter such cyberattacks:

• Limit access to remote services through services such as VPNs and other managed remote access systems.
• Defining rules to deny direct remote access to internal systems through network proxies, gateways, and firewalls.
• Regularly auditing user accounts for unusual or suspicious activities and deactivating or removing any that are no longer needed.
• Applications must adhere to recommended encrypted methods to securely store sensitive data or user credentials.
• Network intrusion prevention systems and other systems designed to scan and remove malicious email attachments or links can be used to identify and block such activities.
• Continuous education and awareness to the employees and third-party vendors to avoid spear-phishing campaigns.
• Regular vulnerability assessment of the network for proactive bug patching.
• Red team assessment of the infrastructure by the reputed security consultants.
• Proper segregation of important access points that are meant to be exposed to the web.
• Mandatory usage of reliable and up-to-date anti-virus software and firewall clients.
• Implementation of 2-factor or multi-factor authentication for corporate accounts.
• Report to the concerning computer emergency response team in case of a ransomware threat.
• Never open untrusted links and email attachments without verifying their authenticity.

Conclusion

Cybercriminals have been improving their tactics and acquiring sophisticated cybercrime tools and techniques to remain ahead of the LEA and cybersecurity community. We have observed IABs playing a notorious role in the organized cybercrime ecosystem. Cybercriminals, including ransomware groups, have created this convenient arrangement to monetize their efforts, thereby reducing their risks and adding further layers of anonymity.

IABs are a major threat to enterprises, and monitoring such threats to avert business, financial and reputational loss is imperative. Cyble Research Labs will continue to proactively monitor threat activities and attack trends surfacing from the cybercrime forums and marketplaces.