English
  • Russian
  • Korean
  • Support
Positive Technologies
English
  • Russian
  • Korean
  • Solutions
    ICS/SCADA

    Critical infrastructure on the frontline

    Vulnerability Management

    Stop being an easy target

    Financial Services

    Can your security keep up with you?

    Protection from targeted attacks (anti-apt)

    Early detection, rapid investigation

    PT Industrial Cybersecurity Suite

    PT ICS is an integrated platform for cyberthreat detection and response in industrial systems

    Utilities

    Industrial-grade cybersecurity

    ERP Security

    Take control of your ERP security

    Security Compliance

    Turn policies into protection

    View all →
  • Products
    MaxPatrol 8

    Vulnerability and compliance management system.

    MaxPatrol SIEM

    Knows your infrastructure, delivers pinpoint detection.

    PT Application Firewall

    Intelligent protection of business applications.

    PT Application Inspector

    Source code analysis tool.

    PT ISIM

    Cyberthreat detection and incident response in ICS.

    PT Network Attack Discovery

    NDR system to detect attacks on the perimeter and inside the network.

    PT Sandbox

    Advanced sandbox with customizable virtual environments

    XSpider

    Vulnerability scanner.

    MaxPatrol VM

    Next-generation vulnerability management system.

    MaxPatrol SIEM All-in-One

    Full-featured SIEM for mid-sized IT infrastructures.

    PT MultiScanner

    Multilayered protection against malware attacks.

    PT BlackBox

    Dynamic application security testing tool

    View all →
  • Services
    ICS/SCADA Security Assessment

    Full Range of ICS-specific Security Services

    ATM Security Assessments

    Uncover Your Weaknesses

    Web Application Security Services

    Black Box and White Box Analysis

    Mobile Application Security Services

    Security Analysis and Compliance Audit

    Custom Application Security Services

    Independent Expert Analysis of Your Source Code

    Penetration Testing

    A Comprehensive Approach

    Forensic Investigation Services

    Prevent Future Incidents

    Advanced Border Control

    Upgrade Your View of Perimeter Security

    View all →
  • Analytics
    Threatscape
    PT ESC Threat Intelligence
    Cybersecurity glossary
    Knowledge base
    View all →
  • Partners
  • About
    Clients
    Press
    News
    Events
    Contacts
    Documents and Materials
    View all →
Menu
  • Home
  • Analytics
  • Access for sale

Access for sale

Published on May 20, 2020
  • Corporate infrastructure

Cyberattacks are growing in number every year—by 19 percent in 2019 alone 1. One of the main reasons is the low barrier to entry. The Internet's shadier side teems with illegal marketplaces for malware and services used to breach corporate networks. Low-skilled hackers have quickly learned how to put them to good (or rather, bad) use.

In this article, we will explain what "access for sale" and "ransomware partner program" mean, how dangerous these threats are, and the risks they pose for businesses.

Definition of access

"Access for sale" on the darkweb is a generic term, referring to software, exploits, credentials, or anything else that allows illicitly controlling one or more remote computers. Successfully hacking a website, web server, database, or workstation means that the attacker has access. This access can be transferred or sold to third parties, just like house keys. But for our purposes here, we will only cover access to servers and workstations.

Growing market

Only one or two years back, criminals seemed to be more interested in individual servers. Access to them was sold on the darkweb for up to $20 a pop.

Figure 1. Sale of ransomware access to remote PCs
Figure 1. Sale of ransomware access to remote PCs

However, starting in the second half of 2019, we have seen an increasing number of postings on hacker marketplaces 2 advertising access to local corporate networks.

Figure 2. New threads on darkweb forums discussing access to corporate networks
Figure 2. New threads on darkweb forums discussing access to corporate networks

Some buyers offer lucrative terms and an ongoing relationship. For example, they may pay out a commission of up to 30 percent of the potential profit for a hack of the infrastructure of a company with annual income exceeding $500 million.

Figure 3. Purchase of access to corporate networks (posting in Russian)
Figure 3. Purchase of access to corporate networks (posting in Russian)

Demand creates supply. At the end of 2019, over 50 accesses to the networks of major companies from all over the world were publicly available for sale. Among the victims were some rather large companies, with annual income running into the hundreds of millions or even billions of dollars.

Figure 4. Hacked companies by industry
Figure 4. Hacked companies by industry
Figure 5. Geographic location of hacked companies
Figure 5. Geographic location of hacked companies

In the U.S., criminals mostly sell access to service sector companies (20%), industrial companies (18%), and government institutions (14%). In Italy, the order was reversed: industrial companies (25%) are followed by service sector companies (17%). In the United Kingdom, the service sector accounts for 33 percent, science and education for 25 percent, and finance for 17 percent. Government institutions (20%) and healthcare (10%) lead in Brazil. In Germany, IT and services each account for 29 percent of accesses for sale. In number six position is Australia, for which most offers involve access to government or science and education. However, by their nature these statistics give a limited picture: in 17 percent of cases, the sellers do not indicate any country in their posts. Many sellers may not advertise their wares at all.

In general, the asking price is in the range of $500 to $100,000. The average cost of privileged access to a single local network is on the order of $5,000.

Figure 6. Access can cost as much as $100,000 (posting in Russian)
Figure 6. Access can cost as much as $100,000 (posting in Russian)
Figure 7. Selling network access on the darkweb
Figure 7. Selling network access on the darkweb

In the past, middling hackers had a hard time monetizing attacks: they did not have the skills to pursue an attack to the point of obtaining a payoff or valuable data. But with the current market demand, they can make a steady income by selling to other criminals.

Buyers can then develop an attack on business systems or hire a team of more skilled hackers who can quickly obtain domain administrator privileges and infect critical servers with malware.

Figure 8. Advertising domain administrator rights on a government network
Figure 8. Advertising domain administrator rights on a government network

The first ones to use this scheme were ransomware operators, who bought access for a fixed price from one set of criminals and then hired other criminals to infect local networks with malware in return for a large percentage of the victim's ransom. On darkweb forums, this setup is known as a "ransomware affiliate program."

Figure 9. Hiring hackers for post-exploitation (posting in Russian)
Figure 9. Hiring hackers for post-exploitation (posting in Russian)

Consequences for companies

Large companies stand to become a source of easy money for low-skilled hackers. External attacks on corporate infrastructures will increase significantly. This issue is especially acute now that so many employees are working from home. Hackers will look for any and all security lapses on the network perimeter, such as an unprotected web application, non-updated software, or incorrectly configured server with a weak administrator password. The larger the hacked company is, and the higher the obtained privileges, the more profitable the attack becomes.

Small and medium-sized companies are commonly believed to be at greater risk from script kiddies 3 due to smaller investments in network security. Being able to spend more, large companies should be better protected. But penetration tests by our experts prove that even the largest companies are vulnerable. Our testers find easy ways to penetrate local networks that do not require particular skill on the part of potential attackers. All the same, small and medium-sized companies have less money available to put into security and, therefore, are at even greater risk.

Companies should ensure comprehensive infrastructure protection, both on the network perimeter and within the local network. Make sure that all services on the perimeter are protected and security events on the local network are properly monitored to detect intruders in time. Regular retrospective analysis of security events allows discovering previously undetected attacks and addressing threats before criminals can steal data or disrupt business processes.

  • ptsecurity.com/ww-en/analytics/cybersecurity-threatscape-2019/
  • We analyzed postings on 190 darkweb sites about purchase or sale of malicious tools, as well as custom malware development. We focused on forums, specialized marketplaces, and chat platforms with predominantly Russian- and English-speaking users. On average, over 70 million people visit them each month.
  • Those who use other people's software to attack computer systems and networks or deface websites. The prototypical script kiddie is a teenager, unable to write their own complex programs or exploits, who seeks to impress friends or fellow computer enthusiasts. Age is not the defining feature, however.
Download PDF
Related articles
  • November 18, 2022 Cybercriminal market in Telegram
  • May 26, 2017 Corporate information system penetration testing: attack scenarios
  • August 3, 2022 Bootkits: evolution and detection methods
Share:
Link copied
Related articles
August 12, 2020

External pentests results – 2020

August 4, 2017

Security trends & vulnerabilities review: corporate information systems

July 28, 2021

Criminal Market for Initial Access

All articles
Solutions
  • ICS/SCADA
  • Vulnerability Management
  • Financial Services
  • Protection from targeted attacks (anti-apt)
  • PT Industrial Cybersecurity Suite
  • Utilities
  • ERP Security
  • Security Compliance
Products
  • MaxPatrol 8
  • MaxPatrol SIEM
  • PT Application Firewall
  • PT Application Inspector
  • PT ISIM
  • PT Network Attack Discovery
  • PT Sandbox
  • XSpider
  • MaxPatrol VM
  • MaxPatrol SIEM All-in-One
  • PT MultiScanner
  • PT BlackBox
Services
  • ICS/SCADA Security Assessment
  • ATM Security Assessments
  • Web Application Security Services
  • Mobile Application Security Services
  • Custom Application Security Services
  • Penetration Testing
  • Forensic Investigation Services
  • Advanced Border Control
Analytics
  • Threatscape
  • PT ESC Threat Intelligence
  • Cybersecurity glossary
  • Knowledge base
Partners
About
  • Clients
  • Press
  • News
  • Events
  • Contacts
  • Documents and Materials
Positive Technologies
Copyright © 2002—2023 Positive Technologies. All Rights Reserved.
Find us:
  • Report a vulnerability
  • Help Portal
  • Terms of Use
  • Privacy Notice
  • Cookie Notice
  • Positive Coordinated Vulnerability Disclosure Policy
  • Sitemap
Copyright © 2002—2023 Positive Technologies. All Rights Reserved.
  • Report a vulnerability
  • Help Portal
  • Terms of Use
  • Privacy Notice
  • Cookie Notice
  • Positive Coordinated Vulnerability Disclosure Policy
  • Sitemap