Initial Access Brokers and Blocking the Continued March of Ransomware

Written by

As the cybercrime landscape continues to flourish, so does the complex supply chain that keeps the underground economy in such rude health. In many ways, it is now as sophisticated as anything you’ll see in legitimate industries. When it comes to ransomware, initial access brokers (IABs) have risen to become one of the most important links in this chain. 

Outsourcing the time-consuming work of achieving network access enables ransomware-as-a-service (RaaS) affiliates to focus on lateral movement, data theft, ransomware payload deployment and extortion.

How do They do it?

According to the latest Recorded Future intelligence report, IABs use several tools, techniques and procedures (TTPs) to achieve initial access into targeted networks. Infostealer malware is very popular. 

Criminals can use tools such as RedLine, FickerStealer or AZORult directly to obtain valid credential pairs and session cookies. Alternatively, they can purchase infostealer logs or bots on the dark web for resale. The tools are usually distributed through spam campaigns or phishing, although they can also spread via malicious Google ads and pop-ups. 

The recent incident with Cisco should be a timely reminder about how passwords are managed through the lifecycle of your employees and contractors.

Credential stuffing is another popular option for initial access, whereby automated scripts are used to try breached credentials across numerous sites, apps and accounts simultaneously to see if any have been reused. The most common credentials used by IABs are for virtual private networks (VPNs), RDP services, Citrix gateways, web applications and content management systems (CMS), and corporate webmail servers.

Saving Time and Money

IABs are easily found on top-tier Russian-language forums like Exploit, XSS and RAMP, and low- or mid-tier English language sites. They typically operate using multiple languages and online pseudonyms to avoid detection. Many ransomware actors use these channels to buy network access. IAB advertising on underground forums includes a series of important details that affiliates will need to select their next victim. These include victim country, annual revenue, industry, type of access, rights, data to be exfiltrated, devices on local network and pricing. Many such sites will look more like popular e-commerce or bidding sites than many spectators may assume to be nefarious cybercrime sites. They’ll feature user reviews, ratings and even time-limited auctions, complete with ‘buy now’ prices. 

While many ransomware affiliates are happy to negotiate in ‘public,’ with IABs advertising on these forums, others are thought to work directly and secretly with a pre-selected group of access brokers. Either way, the advantage of working alongside IABs is clearly to accelerate their campaigns. For example, if they buy compromised credentials directly from the dark web, ransom affiliates may find themselves having to search through bulk data troves for the admin-level logins they need. With IABs, this hard work has already been done for them.

How to Fight Back

Fortunately, there are several things corporate cybersecurity teams can do to mitigate the threat, not only of initial info-stealing attacks but also the ransomware that follows. 

Monitoring for your employee’s credentials for sale is a big win, as are data dumps in case of ‘fresh’ credentials turning up. Ask your intelligence provider about infostealer malware sources – monitor your login URLs for mentions, knowing which accounts are associated with those URLs is hugely helpful. This will help you observe which users and/or employees are using devices with info stealer malware installed. The sooner you can identify compromised accounts, the better.

And, of course, your Information Security Program should also play a big part. Good cyber-hygiene, including prompt, risk-based patching, endpoint monitoring, password management and web filtering, are just a few best practices.

When it comes to ransomware, maintain offline backups of critical data, segment networks to contain an attack’s blast radius and apply two-factor authentication everywhere. Continuous monitoring and robust threat intelligence will also provide a useful early warning system. 

IABs have made ransomware attacks easier and cost-effective for affiliate groups. But with the right defensive posture, organizations can regain the initiative and put enough roadblocks in the way that their adversaries give up and move on to the next target.

What’s hot on Infosecurity Magazine?