Blog WatchGuard

Five cybercriminal entities sell access to 2,300 corporate networks

It’s not possible to talk about a successful cyberattack without prior access to the target company's network. Initial access brokers (IABs) are the malicious actors that perform this first step, and they are making accessing enterprise networks easier than ever.

A recent news report stated that just five cybercriminal operators accounted for around 25% of all enterprise network access offers available for sale on underground forums during the second half of 2021 and the first half of 2022. These initial access brokers provide details of stolen VPN and remote desktop protocol (RDP) accounts, as well as other credentials that criminals can use to break into the networks of more than 2,300 organizations worldwide, without difficulty. The average price for initial access is around $2,800.

It is important to note that these five operators lead a much larger and rapidly growing market.

How does the underground access market work?

IABs gain access to systems by stealing network credentials from third parties using social engineering tactics such as phishing, exploiting unpatched software vulnerabilities, installing malware locally after physically gaining access to an organization through tailgating, brute-force or password-spraying attacks. And they typically offer one of the following types of access:

  • Active Directory (AD)
  • Virtual Private Networks (VPNs)
  • Root user credentials
  • Web Shell Access
  • Remote Monitoring and Management (RMM)
  • Remote Desktop Protocol (RDP)
  • Control panels

The cost of this access service varies, mostly depending on the type of organization targeted. Factors that influence the pricing range from the industry the enterprise works in, to its size, number of employees, and annual revenues. The organization’s level of vulnerability is also taken into consideration, which indicates the time and resources IABs need to use to obtain initial access, as well as the type of access being sold.

According to the Dark Reading article, 70% of the types of access listed by the IABs consisted of details of RDP and VPN accounts. 47% of the offers involved access with administrator rights on the compromised network. Similarly, 28% of the ads specifying which type of rights they had obtained involved domain admin rights, 23% had obtained standard usage rights and a small fraction provided access to root accounts.

In underground forums, where IABs sell access to enterprise networks, the messages posted are usually detailed and provide potential buyers with information about the victim, the method used to gain access, what this access can offer to an interested cybercriminal, and much more.

How to avoid becoming a victim of the access-as-a-service market?

Protecting against these cybercriminals-as-a-service operators requires consolidated security capable of shielding the organization's network and patching any holes it may have. Two solutions are essential in this process: multi-factor authentication (MFA) and endpoint protection.

Multi-factor authentication (MFA)

Attackers often actively seek out systems that rely on the traditional form of authentication: username and password. A method that provides no protection today. Multi-factor authentication must be enforced to mitigate this vulnerability. If access to a network requires an additional form of authentication, stolen user credentials lose their effectiveness.

It is important to introduce this layer of protection for remote access to the network, VPN connections, email, and administrative access.

WatchGuard's multi-factor authentication solution, in addition to allowing users to authenticate directly from their own phone, offers additional protection using mobile device DNA that verifies whether the authorization is coming from the authorized user's phone.

Endpoint protection

RDP protection, included in the Threat Hunting Service that is integrated into WatchGuard EPDR solution, prevents hackers from stealing credentials on RDP servers by detecting brute-force attacks and preventing communications from external servers involved in this type of attack. The best defense is to stop the attack at an early stage, and for this reason we recommend enabling RDP protection at all times.

Continuous endpoint monitoring prevents the execution of unknown processes, as well as enabling behavioral analysis that can expose criminals who have gained access, protecting against advanced persistent threats (APTs), zero day malware, ransomware, phishing, rootkits, memory vulnerabilities and non-malware attacks.

WatchGuard EPDR not only combines endpoint protection (EPP) and detection and response (EDR), but also provides the vulnerability management module that discovers and deploys the necessary patches to protect the organization. This is of paramount importance, as vulnerabilities are often one of the most common entry points used by criminals.

WatchGuard EPDR also includes anti-exploit technology that protects against credential theft and prevents lateral moves by hackers using stolen credentials, making it an ideal complement to patch management.

In our blog "Why endpoint security and MFA should always go hand in hand" we outline further reasons why these solutions should be used in tandem to protect enterprises against advanced threats.