Ransomware Attackers Buy Network Access in Cyberattack Shortcut

Network access to various industries is being offered in underground forums at as little as $300 a pop – and researchers warn that ransomware groups like Maze and NetWalker could be buying in.

For prices between $300 and $10,000, ransomware groups have the opportunity to easily buy initial network access to already-compromised companies on underground forums. Researchers warn this opportunity gives groups like Maze or Sodinokibi the ability to more easily kickstart ransomware attacks across various industries.

The ability to purchase initial network access gives cybercriminals a quicker handle on infiltrating corporate and government networks, so that they can focus in on establishing persistence and moving laterally.

Threatpost Webinar Promo Retail Security

Click to Register!

“Network-access selling has progressed from a niche underground offering throughout 2017 to a central pillar of criminal underground activity in 2020,” said Thomas Willkan and Paul Mansfield, senior analysts with Accenture’s CTI Reconnaissance team, in a Monday post.

The salespeople behind this activity typically first develop an initial network vulnerability and infiltrate the victim network to gain complete corporate network access. Once that access is gained, the threat groups then sell it on dark web forums. The pricing depends on the size and revenue of the victim.

Network-access offerings are typically advertised on underground forums with victim industry info (such as banking or retail), the type of access for sale (VPN, Citrix or remote-desktop protocol, for instance), the number of the machines on the network, the country the victim operates in and more (such as the number of employees or revenue of the company).

In September, researchers tracked more than 25 persistent network-access sellers – with more entering the scene on a weekly basis. These sellers are operating on the same forums as actors associated with the ransomware gangs Maze, Lockbit, Avaddon, Exorcist, NetWalker, Sodinokibi and others, they said.

“Although it is difficult to prove that an advertised network access is linked to a specific ransomware attack, from analysis of threat-actor activity we assess with high confidence that some of the accesses are being purchased by ransomware groups and affiliates, thereby enabling potentially devastating ransomware attacks on corporate entities,” they said.

Upon closer inspection of these network access sellers, researchers noted that compromised RDP connections continue to be the most common attack vector – however, cybercriminals are increasingly offering up other vectors, including compromised Citrix and Pulse Secure VPN clients.

“We assess that network-access sellers are taking advantage of remote working tools as more of the workforce works from home as a result of the COVID-19 pandemic,” said researchers.

Another trend is that network-access sellers are starting to use zero-day exploits and sell the network access itself, as opposed to selling the zero-day exploit on its own. One threat actor named Frankknox, for instance, started by advertising for a zero-day targeting a popular mail server for $250,000 – however, he later killed that sale and started exploiting the zero-day himself, and went on to offer corporate network access to 36 companies instead. This network access has been marketed for between $2,000 up to $20,000 – and the threat group claimed to have sold access to at least 11 organizations.

Companies can protect themselves from network compromise and ransomware attacks by setting up monitoring capabilities, regularly backing up their data and employing best practices for using RDP, said researchers.

“We assess with high confidence that the relationship between initial access broker and ransomware group will continue to thrive in 2020 and beyond, earning the threat actors behind it huge profits,” they said. “This symbiotic relationship facilitates continuous targeting of government and corporate entities and streamlines the network compromise process, allowing cyber criminals to act quicker and more efficiently.”

On October 14 at 2 PM ET Get the latest information on the rising threats to retail e-commerce security and how to stop them. Register today for this FREE Threatpost webinar, “Retail Security: Magecart and the Rise of e-Commerce Threats.” Magecart and other threat actors are riding the rising wave of online retail usage and racking up big numbers of consumer victims. Find out how websites can avoid becoming the next compromise as we go into the holiday season. Join us Wednesday, Oct. 14, 2-3 PM ET for this LIVE webinar.

Suggested articles