Initial Access Brokers: Who Are They?
It’s not often that we get to peer deeply into the structure and organization of cybercrime, gaining insights beyond the superficial damage we witness. Our daily news feeds often include reports about hospitals being compromised, public transit systems disrupted, and power companies shutting down. But who is behind these attacks? How do they penetrate even the most securely configured networks? What are their objectives? The answers to these critical questions begin with initial access brokers. They represent the starting point in a sequence of events that have severely impacted numerous organizations.
What Is an Initial Access Broker? A Definition
An initial access broker is a threat actor that profits by selling access to stolen network credentials. In the past, threat actors were responsible for every aspect of their process. They were the ones to establish a foothold on a remote network, and they also were the ones who would exploit it for financial gain. Today’s cybercriminal ecosystem has become diversified, with each actor serving a unique role. Initial access brokers are at the forefront of this process. Once they’ve gained access to a network, they market the stolen credentials to ransomware groups who exploit it further with ransomware attacks and extortion. Their role is that of intermediaries who facilitate the dark trade of unauthorized network access.
How Do Initial Access Brokers Gain Entry?
Initial access brokers can be likened to stealthy criminals who methodically check door after door, searching for those left ajar or those with faulty locks. In a digital parallel, IABs probe a countless number of online targets using specialized tools. They take advantage of their knowledge of known vulnerabilities to find possible targets. Once they’ve successfully breached a secure network, these initial access brokers compile lists of compromised organizations to peddle on the dark web. In essence, our usernames and passwords become their prime commodities. Following are the most prevalent techniques initial access brokers employ to gain access.
A seemingly innocuous habit, reusing passwords can have dire consequences. We may think that we have developed a firm understanding of why complex and unique passwords are important, but a report by Nordpass recently showed that the No. 1 weak password was “password” being used a total of 4,929.113 times, followed closely by “123456” used 1,523,537 times.
Once a comprehensive list of weak usernames and passwords has been compiled, tested, and found to be working, initial access brokers use them in subsequent credential stuffing attacks (aka brute force attacks). Credential stuffing attacks are programmatic attacks where weak password/username combinations are tried on thousands of computers to discover computers or services where these username and password combinations have been used more than once.
We’ve all heard of phishing email, and spear phishing emails. This is where initial access brokers send fraudulent email designed to steal our email credentials. Crafted with precision, their phishing campaigns are almost indistinguishable from legitimate emails. A single click can grant them access to company email where they can further impersonate employees or collect information like supplier names and domains to be used in further attacks.
In our age of remote work, VPNs are an essential means by which organizations keep a disparate workforce connected to corporate resources and networks. To an initial access broker, a compromised VPN profile is a discreet entrance into a company’s inner sanctum. Often the weakness lies in the victim’s process. For instance, in 2021, Colonial Pipeline was breached using a VPN account that was no long in use but that had not been disabled.
Exposed RDP Servers:
Remote Desktop Protocol (RDP) is a Microsoft technology that allows users to log into a remote desktop environment on the employer’s network. Many organizations have made these servers accessible to the public Internet rather than securing them behind firewalls and VPNs. RDP servers, when left unguarded, are an extremely valuable foothold to sell on underground markets. RDP access is an especially valuable target because it provides access to a user session and server at the same time. Cybercriminals are therefore willing to pay higher values for these compromised credentials.
Beyond the digital realm, initial access brokers are master manipulators, coaxing out confidential information from employees with a blend of charm and deceit.
The Broader Impact and Importance
Why is this important to know? Because the activity of these individuals and groups is increasing rapidly. In an initial access broker report published in January 2023, the number of corporate networks for sale on underground forums had doubled.
The initial breach, while alarming, is just the tip of the iceberg. Once an initial access broker has secured access, they open the floodgates to a deluge of cyber threats—from data heists to crippling ransomware and extortion. The aftermath of their intrusion can be catastrophic. When the crippled target is a hospital, the results can even be fatal. How can the forgoing information be valuable to companies? Why should we care about these groups and their activity?
Diving deep into the underground world of initial access brokers isn’t just an academic exercise; it’s a strategic necessity. By demystifying the tactics and strategies of malicious actors, organizations can transition from a reactive stance to a proactive defense. It’s akin to studying the moves of a chess master; by anticipating their strategies, we can counteract them effectively. In the digital realm, this means continually updating our cybersecurity protocols, refining our intrusion detection systems, and always staying one step ahead. After all, in the high-stakes game of cyber defense, forewarned is indeed forearmed.
The financial toll of a cyber breach extends far beyond the immediate fallout. While the direct costs—like potential ransom payments or system restoration—can be staggering, the long-term financial implications are often even more profound. A breach can erode customer trust, leading to lost business and a tarnished brand reputation. Moreover, the aftermath often involves legal fees, potential regulatory fines, and the costs associated with damage control, such as public relations campaigns. Sadly, some organizations lack the strength to overcome these consequences and never really survive the event. This toll is measured in jobs lost and lives changed. By understanding the role of initial access brokers in the broader cybercrime landscape, businesses can better assess their financial risk and allocate resources to safeguard their most valuable assets.
In the layers of IT security employed in an organization’s network, employees often serve two roles. Employees are the first line of defense and potential points of vulnerability. Initial access brokers are acutely aware of this, which is why they use tactics designed to exploit human error, from phishing emails to social engineering schemes. By delving into the modus operandi of initial access brokers, organizations can tailor their employee training programs to address these specific threats. For instance, when should user access and credentials be reset, what proof is required to reset or gain access? Empowering employees with the knowledge, tools, and structure to recognize and thwart initial access broker tactics not only fortifies the organization’s defenses, but also fosters a culture of cybersecurity awareness and vigilance.
Protecting Against Initial Access Brokers
We all recognize the value of the digital age that has grown up around us. Our personal information, our hard work, and our career prospects are now inextricably linked with technology. For threat actors like initial access brokers, this information is just another item to sell in an initial access broker market.
Knowledge is our best defense. By understanding the methods and patterns of initial access brokers, we can fortify our defenses and protect ourselves. Regular training sessions, stringent authentication protocols, and vigilant network monitoring are our weapons in this ongoing battle against the shadowy world of initial access brokers.