Initial access merchants, or actors who offer to sell compromised network access, are key enablers in the financially motivated cybercriminal underground. Once these vendors offer access to an organization on cyber underground forums, it is likely RaaS affiliate programs will purchase and use it for an attack. Purchasing access may significantly reduce the amount of time it takes ransomware operators to conduct an attack by enabling reconnaissance of systems and the identification of key data earlier and with greater ease.
It’s probable that as initial access advertisements become increasingly common on underground forums, ransomware operators will look to recruit prominent and trustworthy actors to form partnerships with. At the same time, it is likely network access vendors will start to recognize they can save time and effort by making offers directly to highly-active ransomware affiliate programs.
The actors
One of the most active initial access merchants in the first quarter of 2022, who Intel 471 refers to as Jupiter, is a veteran of the cybercrime underground. While Jupiter has been active in forums since 2010, this actor has been known for selling initial access to organizations since September 2020, when they first emerged on a well-trafficked cybercrime forum.
Intel 471 researchers observed 1,195 offerings from Jupiter, with access coming via compromised Citrix, Microsoft Remote Desktop Web (RDWeb) and Pulse Secure virtual private network (VPN) credentials, impacting organizations worldwide. When comparing those advertisements against ransomware attacks, Intel 471 observed 3 times over the first six months of 2022 where there was overlap between advertised access to an organization and a ransomware attack taking place.
Of those 3 attacks, they were targeted by the ransomware groups Avaddon, Black Cat and Pysa/Mespinoza.
Another prominent access broker, which Intel 471 refers to as Neptune, has sold network access on popular cybercriminal forums since June 2020. In 2021, this actor listed access to 1,146 organizations for sale, allegedly by purchasing logs across underground forums and directly from malware log vendors. The actor sold credentials tied to organizations in numerous industries, with the most prevalent being banking and securities, education, government and information technology (IT) or technology consulting. Of the organizations connected to those credentials, 24 overlapped with ransomware attacks that were publicly listed on name-and-shame blogs, with over half the attacks (14) carried out with the Pysa/Mespinoza ransomware.
In 2022, Neptune has offered 1,303 credentials for sale on various cybercrime forums. As of this writing, Intel 471 cannot determine if any of these credentials overlap with ransomware attacks carried out in this time period.
Neptune focused sales on compromised Citrix, VMware Horizon and other VPNs. Intel 471 also observed the actor searching for long-term cooperation and partnerships with other actors seeking to monetize Citrix and VPN accesses and corporate network.
The third-most active access broker in the first quarter of 2022, which Intel 471 refers to as Saturn, established working relationships with a number of RaaS gangs. While they have not offered as many victims as the aforementioned two actors in this article, Saturn has been fairly active this year, primarily advertising access to organizations’ Cisco AnyConnect instances. The impacted organizations were located in 29 different countries, with Austria, Canada, Germany, Indonesia, and the United States hosting the most impacted entities. While Saturn advertised these credentials as unique, Intel 471 observed that other access brokers offered some of the same credentials in their own advertisements. It remained unclear whether Saturn and other actors harvested access credentials from the same source or if they compromised different accounts of the same entities.
Of Saturn’s advertised credentials, Intel 471 observed that two different RaaS gangs — Groove and RansomExx — attacked organizations that were in Saturn’s advertisements.
Where the trend is going
As ransomware continues to proliferate, operators will increasingly acknowledge the benefits of purchasing access from merchants, with these vendors moving to work directly with the most prominent groups that are willing to offer the highest price possible. Additionally, as relationships strengthen, ransomware groups may identify a victim who they wish to target and the access merchant could provide them the access once it is available.
Over time, access merchants likely will be paid more substantial cuts of a ransom as they increase the quality and quantity of accesses, which will in turn improve their relationship with ransomware operators and lead to more private conversations. It also is likely the frequency of attacks will increase as this relationship could make deploying malware more convenient since ransomware operators would have readily available accesses. Additionally, it is likely we will see increased operational security efforts from operators, merchants and newcomers as law enforcement continues to target and charge cybercriminals.
The access broker and ransomware operator dynamic also can create a long-term impact when it comes to the completion of the attack cycle. Despite the average time we observed from initial offer to claim of compromise, some groups breached organizations far later – sometimes not until the next calendar year.
How to prevent these attacks
Ransomware operators perpetually seek to improve their attack success rates. Purchasing access to organizations allows threat actors to reduce the amount of time it takes to enter an environment. Additionally, they can easily target organizations in certain industries and locations or with specific revenue amounts by searching for the exact type of access in the highly organized cyber underground. Therefore, organizations must adapt to match the evolution of cybercrime as relationships between initial access merchants and ransomware affiliate programs grow.
It is important to maintain awareness that the offer or sale of access to an organization on an underground forum is a critical indicator a ransomware attack could occur in the future. We also recommend monitoring for third-party risk. It is possible an organization whose access was offered could be breached so an actor can gain access to another company associated with the network that may be of more value to the actor, such as having a greater revenue or number of employees.
Intel 471 analysts will be providing more insights to enable a better understanding of the connection between network access offerings and ransomware breaches at the SANS Ransomware Summit on June 16. You can register here.