WatchGuard Blog

The black market for credentials, more active than ever

There are tens of thousands of clandestine pages and forums on the dark web that are not indexed by search engines, so they remain hidden unless the user knows the address in advance. This includes discussion forums where techniques or tools are shared with which cyberattacks can then be launched, but these sites also serve as a black market for buying and selling illicitly obtained data. Obviously, all these black-market transactions are carried out using cryptocurrencies and other methods that are difficult for the authorities to trace.  

IABs and RaaS  

Increasingly, these sites are being used for ransomware campaigns where cybercriminals can spend a few dollars on tools or buy full credentials and extort a ransom of hundreds of thousands if successful. Two leading "actors" are involved in these markets: 

  •  Initial Access Brokers (IABs): individuals or groups that manage to obtain data such as access credentials to corporate networks, which is a highly valuable commodity:   
  • Ransomware operators: the buyers of these credentials who will then execute the malicious campaign using this data – or as is becoming increasingly common, these operators offer their services as a ransomware-as-a-service (RaaS) group to hackers who then carry out the attack.  

Three-fold increase 

A few weeks ago, a group of cybersecurity analysts published a report in which they analyzed hundreds of these dark web forums and found that the number of corporate network access credentials for sale has risen from 362 in the previous analysis to 1,099 –a three-fold increase in just one year.  

The report notes that demand in this market has grown in line with the proliferation of ransomware cyberattacks. Many individuals and groups are being encouraged to enter the market by the success of so many organizations paying out million-dollar ransoms. But they also point to the rise of remote working due to the pandemic as a key cause of this rise. Many of the credentials for sale belong to VPN and RDP tools.  

Remote Access Point (RAP) 

Our Internet Security Report Q3 2021 highlights this boom in ransomware and cyberattacks that take advantage of remote working tools. In this threat scenario, organizations are recommended to deploy Remote Access Point (RAP) solutions that allow completely secure access to the organization's corporate networks.  

Whether from a branch office or from home, employees are thus connected to a reliable Wi-Fi access point that via an IPSec IKEv2 VPN network is linked to the central offices where the servers are hosted, which are in turn protected by a next-generation firewall device.  

In addition, this allows the organization's IT teams to manage remote access to the corporate network easily and centrally and maintain strict control over permissions and credentials, as it also allows them to implement advanced multi-factor authentication (MFA) solutions to check and properly manage the identity of each user. This ensures corporate networks are much better protected against attempts by IABs to obtain credentials.