Selling Access: The Rise of Initial Access Brokers
Adarma’s recent cyber threat report identified Initial Access Resale (IAR) as one of the top three threats facing UK businesses across all sectors.
“IAR must now be considered a priority threat to all Internet connected businesses. As some of technical capabilities of Initial Access Brokers (IAB) are distinctive, intelligence collection and the mitigating controls must be managed to remain effective and ensure there are no gaps in control coverage.” – Alistair Thomson, Product Lead at Adarma
Over the past decade, IAR has become established as a key component of the “X-as-a-Service” criminal ecosystem by providing a quick and easy route for criminals to gain access to victims’ infrastructure. IABs, the so-called “locksmiths” of the cyber underground, act as intermediaries who do the leg work to break into a network and then sell on that corporate access to attackers.
From stolen VPN and remote desktop protocol account details to other sensitive credentials, IABs make it easy for cybercriminals to get their foot in the door to launch their attack without breaking a sweat. Often the IAB will drop Web shells, a shell-like interface that enables a web server to be remotely accessed, to ensure continuous future access, and then sell it.
The recent growth spurt in the IAR market has been driven by a combination of elevated demand and an abundant supply of access. Much of this increased access can be attributed to the continued exploitation of infrastructure and services deployed during the pandemic.
Clearly, the IT security controls of many organisations are still catching up with the rapid tactical changes made during the Covid pandemic. Savvy to these weaknesses, IABs quickly adapted to exploit such vulnerabilities, most noticeably in the cloud where poorly defended Office365 and Google Workspace services provide rich pickings.
While IABs have a sordid array of customers, ransomware operators tend to be their best clients, and with ransomware continuing to grow, it is vital to gain an understanding of IAB attacker strategies and how to mitigate against them.
IABs adopt different strategies depending on their expertise, capabilities, and goals, so here are five of the most common attack strategies used by IABs today.
Top 5 IAB attacker strategies
The Mass Remote Code Execution (RCE) strategy – the attacker deploys an internet-wide attack to exploit an RCE vulnerability, compromising as many victims as possible in a short period of time. Following the initial exploit, the attacker establishes a stable remote access channel.
The Mass Bruteforce strategy – the attacker deploys a 24×7 internet-wide attack capability to exploit internet-exposed devices and services by bruteforcing their login panels.
The Mass Phishing strategy – the attacker runs an indiscriminate phishing campaign to trick victims into executing malware. Following the initial exploit, the attacker establishes a stable remote access channel.
The A la Carte Phishing strategy – the attacker runs a phishing campaign targeted at users of a specific enterprise cloud service. The aim is to capture credentials of as many victims as possible.
The Access to Order strategy – the attacker advertises “access to order” services on a dark market, then establish access to victims based on the order book. The attacker adopts an APT-like approach, which may involve RCE, credential bruteforcing, targeted phishing or hybrid tactics e.g. insider threat or physical access. The price for this strategy is agreed upon before the attack begins.
How to protect against IAB attacks
Exposed assets are a major risk to a company’s security and should be configured appropriately. Ensuring only the essential assets are exposed and all security precautions are followed is key to minimising the attack surface available to actors. Having a proper patch procedure for your assets will mean your devices are kept up to date when a vendor pushes urgent security fixes for their products.
Since some vulnerabilities are published as zero-days (unknown to everyone but the developer of the vulnerability), vendors do not have the luxury of releasing patches alongside the release of the zero-day. It may take the vendor days or weeks to develop a fix and this period is when threat actors will be most active.
The best way to counter this is ensuring you have up to date detections running around the clock, that way your security team will be alerted to any anomalous activity. Keeping accurate and appropriate logging will also help your security team hunt and investigate any suspicious activity.
Ensure that your authentication policy is current and effective i.e. all passwords should have a minimum length and complexity, limit the number of password attempts and enable two-factor authentication. Although this will not halt brute force attacks completely, combining this with appropriate logging and login detection rules will help your security team to stay alert.
Configure protective measures on your Endpoint Detection and Response (EDR) or endpoint security application to block unwanted and unknown files from running. Microsoft Defender for Endpoint and AppLocker both allow your IT department to control which apps and files can execute. A well configured endpoint protection platform or EDR will also help detect, block and quarantine malicious files that are downloaded onto the system. It is good practice to log telemetry from these tools to use as a data source for hunting. Having an up-to-date threat intelligence feed can provide up-to-the-minute detection of “known bad” files.