Emerging from the cybersecurity company Intsights is a new report that has uncovered the booming market on the dark web where Cybercriminals can actively buy and sell unauthorized network access. So, cybercriminals can steal thousands of dollars as they are effectively selling breaches.

The cyber threat intelligence advisor at IntSights Paul Prudhomme prior to compiling a study on why criminals sell their network access and how criminals transfer their network access to buyers, examined network access sales on underground Russian and English-language forums.

Paul in his sample study of the data, discovered that more than 37% of all victim’s data were based in North America, at the average price of $9,640 and a median price of $3,000.

Above all, Prudhomme study noted that the network access offered, is the same across the world for ransomware attacks. In other words, more technically skilled cybercriminals on the dark web forums are enabling a decentralized system. Whereby cybercriminals can buy access from other cybercriminals.

For sale on the dark web is the network access credentials of system administrators to remote access into a network. The COVID-19 pandemic has increased the number of people working remotely, therefore the number of remote access into a network for sale has increased as well. Done through RDP and VPNs generally.

In dark web forums and marketplaces, in which many of the most sophisticated ones are in Russian but also English, Spanish, Portuguese and German-language. Here in the dark web cybercriminals share access to numerous malwares, malicious tools, illicit infrastructure, and compromised data, accounts, and payment card details.

In each stage of an attack, cybercriminals seldom have a team of experienced hackers. As a result, they rely in the dark web forums to:

#1 sell what they’ve already stolen

#2 search for malware payloads, hosting infrastructure and access to compromised networks

Prudhomme explains that “this factor is particularly applicable to compromises of specialized environments, such as

#1 those with operational technology (OT)

#2 industrial control systems (ICS)

#3 Supervisory Control and Data Acquisition (SCADA) systems

#4 less traditional type technology and unknown to many attackers

Rarely, but it happens attackers break into a network and find no data that’s of use. In other words, it can’t be stolen or sold. So, it ends up on the dark web where the attacker sells the access to ransomware groups.

The for-sale post on the dark web, offer details of the compromised network access. It can include:

  • the victim
  • the form and level of access for sale
  • the pricing and other transaction details
  • the victims can be identified by location, industry, or sector
  • revenue information is often included

the seller also may include technical descriptions such as

  • types of files and data
  • number and types of machines
  • mention a victim is a potential ransomware target, in the ad, or another technical selling point

The access can be sold on auction or by negotiation.

The most popular type sales are RDP credentials and VPN credentials. And due to the COVID pandemic these credentials are more in use. Secondly, are web shells that can be transferred.

In- order to run many types of malwares, including ransomware, elevated privileges are needed. Therefore, “elevated privileges are a common feature of these sales, but not a universal one, says Prudhomme.

In addition, higher privileges allow the attacker to

#1 create their own accounts

#2 take other measures to use as additional persistence mechanisms

All to provide redundancy for the access that they just purchased.

In conjunction with a form of remote access, domain administrator credentials are a common ingredient of these sales. In other words, “some forms of remote access for sale may also come with their own elevated privileges.”

The study by IntSights is a quantitative and qualitative analysis of their customers from September 2019 to May 2021. To clarify, a sample of 46 sales of network access on underground forums covered in alerts provided to IntSights customers over the 18-month period.

Meanwhile the study uncovered the trend of concentrated attacks by vendor-specific hackers, as seven individuals accounted for more than half of the access points for sale.

Furthermore, out of the 46 network access samples of sales, 40 named the location of victim organisations and almost 40% were located in the US or Canada.

Most victims were in the telecommunications industry, 10 of the 46 victims. Second place was tied across 3 industries financial services, healthcare and pharmaceuticals, and energy.

On the other hand, retail and hospitality victims had the second-most expensive offering in this sample, with a huge $66,000 USD worth of Bitcoin at the time. And this was for access into an organisation that supports hundreds of retail and hospitality businesses, says Prudhomme.

The victim who supported hundreds of retails and hospitality business, was a third-party operator of customer loyalty and rewards programs.

The seller was able to focus on the various ways the buyer could monetize the access to this third-party operator. These included:

  • review and manipulation of source code.
  • access to the accounts and points of loyalty program members.
  • spam and phishing attacks, including ransomware campaigns against loyalty program members via legitimate communication channels.

Cybercriminals love airline frequent flyer programs and customer loyalty programs because they often have a widespread “lack of anti-fraud measures” in place.

IntSights researchers note that most prices stay around the $3,000, even if the average is $9,640.

While 10 amounts were above $10,000 and predominantly for access to telecommunications or technology companies. $95,000 was the largest asking amount for access to a large Asian telecommunications company with a $1 billion dollar turn over. On the other hand, many prices were in the hundreds, the lowest price was $240 for a Colombian healthcare company.

To close off or minimise potential threats, researchers are pleading with organisations to patch systems, enable MFA and update their security measures regularly.

Most importantly, with the network access up for sale there could be some time delay. Just enough time hopefully for the security teams to detect a breach and stop the potential harm. In other words, before a buyer can steal the organisations data for instance and demand the ransom.

A sale on the dark web varies, it typically takes weeks but can happen within hours. And if the security team spots an intruder who hasn’t yet monetised it e.g., by exfiltrating profitable files or deploying ransomware, chances are the initial intruder is still waiting for a buyer especially if there’s been an extended amount of time.

Sadly, we’re fighting a cartel of cybercriminals, who have the sole purpose to steal from and exploit businesses. Safeguard your business, today!

Want insights like this in your mailbox? Join our monthly mailing list

How can we make your business better with IT?