How Can We Reduce Threats From the IABs Market?

/in


Question: How do we keep initial access brokers from selling access to our networks to any ransomware actors who wants it?

Ram Elboim, CEO, Sygnia: As ransomware continues to grow as a cyber threat, new specialization among cybercrime groups has given them an edge on efficiency. One of the fastest-growing areas of specialization involves operators that outsource the job of gaining access to victim networks to initial access brokers (IABs).

At the start of a ransomware attack, an attacker needs initial access to the targeted organization’s network, which is where IABs come in. IABs tend to be lower-tier, opportunistic threat actors that systematically obtain access to organizations — often via phishing or spam campaigns — and then sell that access on underground forums to other actors, including ransomware-as-a-service (RaaS) affiliates. Those affiliates, which constantly need more access to organizations to remain active, increasingly rely on IABs to provide that access.

Also known as access-as-a-service, the ready-made access offered by IABs has become an integral part of the ransomware ecosystem. IABs provide the initial information ransomware groups need for penetration so that operators can quickly target a wider array of victims, access their networks, and move laterally until they gain enough control to launch an attack. It’s an efficient model for perpetuating cybercrime, one that helps to fuel ransomware’s growth.

How IABs Gain Access

IABs generally provide the easiest route to gaining network access, most often via virtual private networks (VPNs) or Remote Desktop Protocol (RDP) technology. Threat actors can exploit some of the many VPN vulnerabilities that researchers have discovered in recent years, or they can scan a network for open RDP ports and follow up with various techniques to obtain login information.

Overall, about two-thirds of the access types put up for sale on the Dark Web are RDP and VPN accounts that enable direct connections to victims’ networks, according to Group-IB’s “Hi-Tech Crime Report.” Citrix access, various Web panels (such as content management systems or cloud solutions), and Web shells on compromised servers are less common. Leaked email…

Source…