Recently Accenture's Cyber Threat Intelligence team outlined a trend of collaboration between network access sellers and ransomware gangs. Several cybercriminals are increasingly offering initial network access to already-compromised companies on underground forums that are being used by ransomware groups.
Researchers have warned that hackers are seen selling credentials for RDP connections, Citrix, and Pulse Secure VPN clients to ransomware groups such as Avaddon, Exorcist, Lockbit, Maze, NetWalker, and Sodinokibi.
- With such deals, ransomware operators get direct access to corporate and government networks. Thus, they can concentrate on establishing persistence and moving laterally.
- The network-access sellers have been observed using attack vectors such as remote working tools (as a result of the Covid-19 pandemic), zero-day exploits (custom or self-developed), or malware such as Cerberus Trojan (leaked source-code) to attempt corporate network access in the future.
- The network access credentials are usually offered between $300 and $10,000, depending on the size and revenue of the victim.
The destructive relationship
As of September, Accenture has tracked more than 25 persistent network access sellers, as well as the occasional one-off seller, with more entering every week.
- In August, four actors were seen utilizing the source code of Cerberus Trojan (which was leaked in July) to gain corporate and government network access credentials, which they sold to other cybercrime groups for a handsome profit.
- In July, the threat actor Frankknox aborted a sale of a self-developed Zero-day targeting a well-known brand of a mail server and began exploiting the vulnerability to gain corporate network access to multiple victims. Until September, Frankknox has advertised access to 36 corporations for between $2,000 and $20,000, of which at least 11 they claim to have sold.
The evolving threatscape
From a niche underground offering to a central pillar of criminal underground activity, network access selling has progressed a lot. The initial access broker and ransomware group duo will continue to thrive in 2020 and beyond, earning the cybercriminals behind it huge profits and better efficiency.