The Rise of Initial Access Brokers

Written by

An emerging trend in the underground economy is initial access brokerage, a flourishing market where opportunistic threat actors gain initial access to organizations (for example, via compromised VPN or RDP accounts) and sell or offer it as a service to other cyber-criminals in underground forums. Outsourcing the initial access to an external entity lets attackers focus on the execution phase of an attack without having to worry about how to find entry points into the victim’s network.

Several factors fuel the popularity of initial access brokers. Firstly, the direct consequence of the mass shift to remote work is an increase of exposed remote services, such as RDP and SSH. At the same time, organizations have accelerated the adoption of cloud applications without considering the security implications. Business continuity has been prioritized over security in both cases, leading organizations to use internal services and make cloud applications available to remote users without basic security features such as multi-factor authentication. For example, a recent survey found that approximately 78% of M365 administrators do not implement multi-factor authentication. The scattering of the workforce has made remote users more vulnerable to phishing, including new forms such as OAuth phishing, and cloud accounts are now a coveted target for malicious actors.

Malicious actors have also had unexpected assistance from the perfect storm that hit every remote access technology - a dangerous trend that started at the end of 2019 and is continuing relentlessly: Fortinet (CVE-2018-13379, CVE-2019-5591, CVE-2020-12812, 

CVE-2019-5591), Pulse Secure (CVE-2019-11510, CVE-2020-8243, CVE-2020-8260, CVE-2021-22893), Citrix (CVE-2019-19781) and F5 (CVE-2021-22986, CVE-2021-22987, CVE-2021-22988, CVE-2021-22989 and CVE-2021-22990). These are just a few examples of critical vulnerabilities that have been exploited to implant ransomware or carry out cyber espionage operations. Aggravating the situation further, even systems directly exposed on the internet, such as Microsoft Exchange servers, have been impacted by severe vulnerabilities exploited by attackers.

"even systems directly exposed on the internet, such as Microsoft Exchange servers, have been impacted by severe vulnerabilities exploited by attackers"

The fact that the exploitation of traditional remote access technologies is reaching new records is confirmed by multiple reports. Nuspire’s Threat Landscape Report Q1 2021, a study sourced from 90 billion traffic logs during Q1 2021, looking at a range of events such as malware activity, botnet activity, exploitation activity and remote access, revealed that in Q1 2021 alone, the activity against Fortinet’s CVE-2018-13379 increased at a rate of 1,916.98%. And things aren’t any better for other technologies; for example, activity against Pulse Connect Secure’s CVE-2019-11510 peaked early in Q1 at a 1,527.87% rate from the beginning of the same quarter. Even the Colonial Pipeline ransomware attack involved exploiting a compromised VPN access.

Interestingly, the same report confirms the risks deriving from the exposure of misconfigured services. During Q1 2021, a significant number of attempts to perform SMB Login brute force attacks were detected, achieving a 14 million peak and representing 69.73% of all exploit attempts during Q1. SMB brute force is often used as a tactic because it is easy and automated. Attackers assume an organization has poor password management practices and isn’t using multi-factor authentication.

It goes without saying that exposing SMB directly on the internet is not ideal, but the situation is no better for RDP, a service that organizations tend to expose to allow the reachability of internal servers. Another study has added fuel to the fire, confirming that the exploitation of this service, when not adequately protected, is one of the preferred techniques to compromise an organization. According to Sophos’ Active Adversary Playbook 2021, RDP was involved in 90% of the attacks investigated and was exploited in about one in four cases (28%) for initial access and internal lateral movement. In 41% of cases, it was used exclusively for internal lateral movement.

Let’s consider that the same study estimated a dwell time (median time spent by the intruders in the target network before detection) of 11 days. It’s clear how protecting the initial access is vital to protecting the enterprise to limit the exposure of the unprotected services that attackers may exploit.

Unsurprisingly, the exploitation of RDP is one of the leitmotifs of the pandemic - a trend that materialized at the very beginning. For example, ESET detected nearly 29 billion RDP brute-force attacks during 2020, corresponding to a 768% YoY increase. An internet-facing misconfigured or vulnerable RDP server leaves organizations exposed to multiple risks, including ransomware. Leaving exposed services is a trend in public cloud workloads, as identified by Netskope.

Mitigating the Risk Factors that are Fuelling the Initial Access Black Market

Several countermeasures can be deployed to mitigate the risks posed by vulnerable remote access devices, misconfigured public services or even misconfigured cloud applications.

Zero trust access provides a cloud-delivered alternative to traditional VPNs and allows resources to be published securely and straightforwardly, preventing direct exposure of services like RDP, SMB or SSH (and in theory, any on-premise service). It is possible to publish and segment virtually any application located in a local data center as well as in a private or public cloud without opening any inbound service that can be probed and eventually exploited by threat actors. There is also no need for any on-prem hardware device to install, patch and maintain, which avoids scalability issues and performance bottlenecks. Finally, a check on the endpoint’s security posture is enforced before accessing the target application - a smarter and more secure way to provide remote connectivity in the “new normal.”

A CASB can detect compromised accounts and User and Entity Behaviour Anomalies on SaaS services, identifying rogue OAuth apps with excessive permissions used to carry out OAuth phishing attacks. Similarly, a CSPM (Cloud Security Posture Management) solution can detect similar misconfigurations on IaaS services, mitigating the risk of exploitation by threat actors.

What’s hot on Infosecurity Magazine?