What is an initial access broker?
When people think of cyber criminals, they often conjure up an image of a lone individual sitting in front of a laptop in their mother’s dark-lit basement—but the reality of modern cybercrime is very different. It is big business, and just as with any industry, legal or not, we have seen the business evolve from the early days of lone threat actors carrying out end-to-end attacks to specialist threat actors offering particular stages of an attack as cybercrime-as-a-service.
A good example of this specialism is initial access brokers (IABs), who are cyber threat actors (CTAs) solely focused on gaining the initial access to a network or system and then brokering that access to the highest bidder. IAB tactics go way beyond traditional spam campaigns, and will use a range of tools, techniques and social engineering to compromise identities and gain access to systems, often bypassing MFA and controls the enterprises have come to rely on in the process.
Once the IAB has gained access to a system or network, they will use dark web market places and networks of cybercriminals to sell the access to the highest bidder. That could be a ransomware gang looking to make some quick money, or a more sophisticated attacker looking to harvest intellectual property or compromise a link in the supply chain in order to pivot to other organizations.
In this blog, we discuss how IABs are impacting cybercrime, why we are seeing this evolution, and how organizations can protect themselves against a more evolved cybercriminal.
How are initial access brokers changing the game when it comes to cybercrime?
Ransomware operations, including ransomware-as-a-service (RaaS) providers, are particularly benefitting from striking alliances with initial access brokers. IABs help ransomware operations operate more quickly and with higher impact by streamlining and reducing their workload at the beginning of the attack. By offloading the difficult work of finding targets and gaining access, ransomware groups and other threat actors can immediately procure access, begin encrypting files, and launch their attack on a much larger scale—all thanks to IABs.
What’s causing threat actors to shift into the IAB business?
There are a few reasons for cyber threat actors to shift into the initial access broker business. The two main ones are skillset and risk.
1. Skillset – The IAB model allows threat actors to optimize profits, while playing to their strengths.
As a threat actor, you want to play to your strengths. So, if you are good at gaining initial access to a corporate network and have invested in the infrastructure to do that, then it makes sense for you to just focus on that area. If you step outside of your expertise and attempt to also perform lateral movement or create ransomware payloads, then you are more likely to get detected and waste the access you were able to gain from phishing. By focusing your time and resources, you will be able to innovate. This is exactly what we have seen in the latest waves of MFA bypass techniques and token hijack attacks.
2. Risk – IABs get the profit without the risks of a later-stage attack
By selling the initial access on a cybercrime marketplace directly to other threat actors who specialize in, for example, ransomware, you reduce your risk. You can just focus on what you do best and allow your customers take on the risks of getting detected in later attack stages. While the rewards might be lower than holding one high-profile organization to ransom, it provides a steady stream of reliable revenue and forms the basis for the cybercrime economy.
The marketplaces initial access brokers operate in have increasingly become a target for law enforcement. Recently, Genesis Market, one of the leading marketplaces for buying stolen accounts and access, was seized in ‘Operation Cookie Monster.’ This follows from a series of recent law enforcement efforts to take down Hydra Market, BreachForums, and the Hive ransomware group. While these are all positive steps, it doesn’t help prevent the brokers from simply selling their stolen access elsewhere.
What are the top network access paths IABs are selling?
While there are many options open to IABs, most often, they will gain and sell access to your network through the following access paths:
- Modern cloud and hybrid identities – Microsoft 365 or Single Sign On (SSO) accounts are a common target, allowing threat actors to access emails and company data directly through the cloud. These highly prized accounts may be used to access a range of on-prem and cloud resources due to trust relationships in IDP and SSO providers.
- Remote Desktop Protocol (RDP) - Cyber threat actors use scanning tools (like Shodan) to look for networks with RDP ports open to the internet, then employ brute force, credential stuffing, and other attack techniques to gain access to vulnerable RDP instances.
- Virtual Private Network (VPN) technology - IABs can exploit compromised identities or vulnerabilities in common VPN services to gain, and later sell, network access.
Should organizations be worried about IABs?
When looking at the identities and access that are on sale in the IAB marketplaces, you begin to understand the scale of the problem. It is no longer just compromised credentials from a data breach being sold, but also device fingerprints, browser cookies, and RDP or VPN access. These can be used to bypass common security controls by bringing the user directly into the network as a legitimate user, or by making the attacker appear to have the right geolocation, the right device, and to have already authenticated using multifactor authentication (MFA). Given the prevalence of SaaS applications, Single Sign On and the widespread use of Office 365, this means that access to enterprise data can often be gained without even having to execute code on a corporate laptop.
What are the top ways we can stop initial access brokers?
How do we prevent initial access brokers from gaining a foothold in our corporate networks and selling access to the highest bidder? Here are the top four strategies that can help you defend your network and foil an attacker’s business scheme.
1. Reduce the risk through least privilege
In the event that one of your user credentials is compromised, or if a user opens a phishing email on their device, you want to ensure they are running with the least privileges possible to do their job. Users with administrator rights or excessive access to systems make for prime targets because they allow initial access brokers to gain access to the ideal jumping off point for lateral movement, credentials theft, and elevation of privilege.
2. Use MFA—but not just any MFA
MFA can be a useful tool to guard against stolen credentials or credential stuffing attacks. However, MFA alone is not foolproof. MFA fatigue attacks involving push notifications and sim jacking for SMS codes have laid bare the security weaknesses of basic MFA. Thus, Fast Identity Online (FIDO2) is becoming an increasingly necessary security control. Unlike MFA, FIDO2 uses local authentication and asymmetric public key cryptography to introduce decentralized authentication, improve security, and resist MFA fatigue and other attacks.
3. Give them access, not a VPN (or RDP)
In many cases, users don’t need VPN access or RDP, so remove these where possible and give users access to just the systems they need in a controlled and auditable way. In many breaches, attackers have exploited VPN access to flat networks or vulnerable public-facing RDP servers to gain a foothold and rapidly move around systems. This is especially important when dealing with third parties who might need access from personal or unmanaged devices.
4. Find out who is asleep on the job
Default, dormant, and orphaned accounts are often an initial access broker’s best friend. Such accounts provide a pre-provisioned identity that is ripe for the taking, and allow infiltrators to easily blend in.
Dormant accounts may have levels of privilege and may be machine accounts, which are associated with a non-human identity. These accounts should, at a minimum, be discovered and brought under active management. Ideally, they should be cleaned up because they more than likely just represent risk with no business benefit.
One technique some threat actors apply is to look for dormant accounts not yet enrolled in MFA, then use credential stuffing and the self-enrolment MFA process to set up their own device. This gives them access to a valid account with MFA enabled, which may, in turn, allow them to access the VPN and other services.
IABs are a cause for concern—but the security fundamentals are no different
While initial access brokers represent a growing area for concern, the threats they pose are fundamentally no different to other attacks. The biggest concern for most organizations is not noticing that they have not only been compromised, but that access to their systems is also being auctioned off to the highest bidder.
To combat initial access brokers and other threats, it is important to not only proactively manage the identities, privileges, and access within your environment, but also to consider an Identity Threat Detection and Response (ITDR) approach. Privileged Access Management (PAM) reduces the risk of compromise and can mitigate an attacker’s ability to inflict damage. ITDR builds on this by further protecting your identities by combining threat intelligence, best practices, tools, and processes to detect, investigate, and respond to suspicious posture changes and activities as they happen.
James Maude, Director of Research
James Maude is the Director of Research at BeyondTrust’s Manchester, U.K., office. James has broad experience in security research, conducting in-depth analysis of malware and cyber threats to identify attack vectors and trends in the evolving security landscape. His background in forensic computing and active involvement in the security research community makes him an expert voice on cybersecurity. He regularly presents at international events and hosts webinars to discuss threats and defense strategies.