- Attackers target Managed Service Providers (MSPs) to gain access to client organizations.
- Prices of different levels of access sold by cybercriminals start from $1000 onwards.
Breaching the networks of their victim organizations to deploy malware may not always be the ultimate motive of attackers. Cybercriminals have now gone one step ahead and are offering access to these compromised networks at different prices on underground markets.
What is the offered price?
Levels of access to a compromised network are offered to buyers on dark web markets for a price starting at $1000. The price can go up to $4500 depending on how deep the hackers have infiltrated.
Which is the most targeted industry?
Entities from various sectors have been breached. However, it is the Managed Service Providers (MSPs) that attract the highest number of attacks from cybercriminals.
SentinelOne reports that over the last 3 to 4 years, there have been several attacks on MSPs from various notorious ransomware such as Snatch ransomware, Sodinokibi, Ryuk and Maze.
MSPs are lucrative targets for attackers as they can reach multiple targets or environments just by compromising a single MSP. In some situations, MSPs can also be abused to gain persistence on a network while evading detection from certain security controls like Firewalls and Intrusion Detection Systems (IDS).
What services from MSPs are offered on the dark web?
Criminal vendors offer a variety of MSP services depending on singular or privileged accounts. These breach accounts can allow a bad actor to gain a full persistence on root shells or remote consoles.
Types of access offered by threat actors include:
- Sets of executive-level credentials,
- Administration of various content management portals (law firms, schools, hospital),
- Direct mail server access, and
- Full “root” access to *everything*.
Companies can reduce the risk of an intruder taking roots on their network or move laterally by implementing security meansures such as:
- Enabling multi-factor authentication;
- Network segregation;
- Monitoring network traffic to and from public sharing and collaboration services;
- Restricting the use of known adversarial tools such as Mimikatz, PStools, VNC, TeamViewer, etc.