Criminal Market for Initial Access

The market for access to corporate networks has evolved for the past few years. It could be assessed as mature as early as the beginning of 2020. A factor that contributed to this level of development is an increase in ransomware attacks: members of ransomware partner programs often use offers available on the access-for-sale market.

Background

A decade ago, you could already buy access to individual users' computers on a dark web marketplace. Most lots went to fraudsters who engaged in carding, i.e. unauthorized use of bank cards without the owners' knowledge. They were followed by cybercriminals using ransomware against individual users. At some point, ransomware distributors acquired access to a corporate network, easily carried out an attack and received a ransom: this gave rise to a trend for using initial access in attacks on organizations.

The number of new ads for access on dark web forums increased with each quarter throughout the observed period. Most of these were ads for sale of access to corporate networks that have been breached. In 2020, we identified 707 new ads for sale of access. Compared with 2019, the number of new ads increased sevenfold. As many as 590 new offers were found in the first quarter of 2021 alone. The number of new ads seeking partners and hackers for hire also increased: it is safe to assume that this was due to the emergence of new ransomware partner programs and the expansion of existing groups that distribute this type of malware.

Another indication of interest in access is the number of users placing ads for buying access, selling access, or collaborating. The first quarter of 2021 saw the number of the users triple year on year.

About $600,000 worth of corporate network access is sold on the dark web on a quarterly basis. Although the number of available offers is increasing, the cumulative worth is changing only slightly, indicating that the average price per access is going down. Cheap access typically carries no access privileges, and it is usually offered by inexperienced cybercriminals who are afraid of following through with the attack. In general, the cost of access usually depends on:

• Number of computers to be exposed
• Account privileges
• Company size
• Corporate revenue and other financial indicators
• Industry

From 2017 until Q1 2020, the share of ads with a price below $1,000 for access to one company was 15%, and in the period between Q2 2020 and Q1 2021, it increased by 30 percentage points, reaching 45%. The share of expensive access lots priced above $5,000 almost halved in the same period. These changes may reflect mass entry into the market by novice cybercriminals.

Our forecast has been confirmed: cybercrime now offers a new job, "access miners", which attracts newcomers with the prospects of making a quick buck. Their main goal is to get initial access to a corporate network and then sell it on the dark web.

Can a company find out that someone has sold access to its network?

Credential compromise can be detected, for example, when the seller verifies access prior to sale, or when the buyer verifies access upon purchase. This requires configuring security, such as SIEM systems and network traffic analysis tools, to detect abnormal connections to the infrastructure.

Most companies who had access to their networks put up for sale by cybercriminals belonged to services (17%), manufacturing (14%), and research and education (12%). In the previous review period, the three most common sectors were manufacturing (16%), services (14%) and finance (11%). Research and educational institutions were the fourth most-targeted category, their share of access for sale being 9%. Note that the share of industrial companies and financial institutions, whose networks are typically more expensive to hack, decreased somewhat. This can be attributed to the fact that the access market is filled with low-skilled players who prefer easier victims.