What are Initial Access Broker Markets?
Initial access brokers are malicious actors that specialize in breaching corporate networks and then selling that access to cyberattackers in Dark Web markets. Initial access brokers have been around for more than a decade. Initial access brokers initially sold access to cyberattackers with various goals such as stealing intellectual property, cyberespionage, botnets, spamming, financial fraud, stealing credit card numbers, destroying data, and more. Recently, ransomware has become a popular goal for cyberattackers, as the cost for access is often insignificant when compared with the size of the potential ransom that could be gained from the victims. Smaller businesses often think that their small organization would not be the target of this sophisticated form of cyberattack, believing they would be interested in higher value targets. This is simply not true, as the access costs can be so low that businesses of any size can be attractive targets for cyberattacks. Further, purchasing access means that the cyberattackers do not even need to be especially skilled, since the initial access broker already did the work of discovering an exploitable vulnerability up front.
Initial access brokers sell the following kinds of access:
Active Directory credentials. Domain administrator access provides access to the Active Directory, making it possible for cyberattackers to distribute malware network-wide.
Control panels. Control panels provide access to web hosting content, which may include credit card details.
Web shell. A web shell is a piece of malicious software in a web server. Initial access brokers may set up web shells on compromised web servers and then sell access to them.
RDP. Remote Desktop Protocol allows users to access desktop computers remotely. Access only requires a login and password, which is what initial access brokers will sell.
VPN. Virtual Private Networks allow remote workers to connect to the corporate network. Unless there are other authentication methods employed, only a login and password is required, which is what initial access brokers will sell.
Five trends in initial access brokers markets include1:
- Pricing models. The average price for network access during July 2020-June 2021 was $5400, while the median price was $1000. Some initial access brokers stick to fixed prices, while some work for a percentage. Pricing models are mainly dependent on the revenue and size of the company, with offers for small firms as low as $100-$200.
- Diversification. Initial access brokers offer access through RDP, VPN, VMware, and software.
- Taking deals offline. Once initial access brokers have established themselves, they move parts of their dealings to private correspondence with middlemen, to avoid detection.
- Professional ethics. Some ransomware organizations are forbidding their affiliates from attacking certain sectors such as healthcare, government, education, and non-profit.
- Double-dipping. Some initial access brokers will use accesses themselves before selling them in Dark Web markets.
1 Kivilevich, 2021, “All Access Pass: Five Trends with Initial Access Brokers”