News
Security and Privacy

Cybercrime Enablers

Initial Access Brokers sell unauthorized access.

Posted
Credit: Getty Images tech system opening, illustration

Try thinking of Initial Access Brokers (IABs) as criminals who sell house keys to burglars. IABs, or breach brokers, sell unauthorized network access to cyber attackers, who use it to enter a target network and launch their attacks.

According to an unnamed source at the U.S. Federal Bureau of Investigation (FBI), attackers rely on IABs to facilitate illicit actions, including Business Email Compromise (BEC), elder fraud, ransomware, and romance and tech support scams.

In 2021, Kela Cyber Threat Intelligence found that almost 300 IABs had posted more than 1,300 unauthorized network access listings for sale on cybercrime forums, according to a Kela blog.

According to Michael Nizich, adjunct associate professor of computer science at the New York Institute of Technology (NYIT), IABs are the first to identify vulnerabilities and gain access in ways of which no one else is aware. They sell access to systems at high-profile public companies to the highest bidder, he said.

Cyber attackers who are not IABs may play the role of an IAB, given the opportunity. According to Nizich, ransomware groups that discover a new way into an organization but don’t want to use it, sell that access.

Salable unauthorized access includes breached credentials, such as Remote Desktop Protocol (RDP) and Virtual Private Network (VPN) passwords. According to Kurt Seifried, director of special projects for the Cloud Security Alliance, IABs use phishing and other methods to gather credentials, in order to gain access. “Brute force password guessing still works to gather credentials, but it shouldn’t. We should use password managers and passkeys or move beyond passwords,” said Seifried.

RDP credentials are popular with IABs because there are so many. COVID forced many to work from home, which triggered an unprecedented increase in RDP accounts. As a result, the greater the haul of stolen credentials, the greater their reward.

IABs deal in device fingerprints, browser cookies, and Remote Code Execution (RCE) vulnerabilities—anything attackers can use to get inside a target network. According to Seifried, RCE is one way to gain access to a user’s device, via a flaw in their Web browser. According to SC Media, Google patched an RCE vulnerability in its Chrome Web browser in February.

According to Keith Jarvis, a senior security researcher at cybersecurity company Secureworks, the LAPSUS$ hacking group frequented dark web marketplaces like the Genesis Market. The group purchased cookies from the market to gain access to enterprise networks. According to Forbes, the LAPSUS$ hacking group, primarily teenagers, is notorious for high-profile attacks on government and corporate targets and for using sophisticated malware and encryption techniques.

In May 2023, the Black Basta ransomware group infected ABB Group, according to BleepingComputer. ABB, a robotics and process automation company, is one of the most prominent victims of Black Basta ransomware attacks.

Black Basta and other ransomware groups have used the Qbot malware and botnet to gain initial access, according to BleepingComputer. According to a Europol release, a group of organized criminals operated Qbot, which also is known as Qakbot.

According to a U.S. Justice Department press release, in April 2023, the department took down the Genesis Market dark web marketplace, which sold device fingerprints, including device identifiers and browser cookies, to gain access to user accounts on websites.

According to the unnamed FBI source, the FBI targets IABs, such as the Genesis Market and Qakbot. This targeting demonstrates the importance the FBI places on IABs in investigating and dismantling the cybercriminal ecosystem.

IABs don’t hold on to access for very long. According to NYIT’s Nizich, IABs sell initial access as soon as possible since it becomes less valuable the longer they wait. The risks to the IAB are that the organization discovers and closes the vulnerability, or that some other criminal finds and uses it before they can sell it.

According to the Secureworks 2022 State of the Threat report, the median time between initial access and ransomware detonation in intrusions is 4.5 days. However, some outliers still keep access for months before infecting the victim company with ransomware.

Said Jarvis, “I remember one anecdote where there was a botnet infection on a single server for over 18 months. It just sat there churning idly away. Finally, someone popped through it, and they were able to ransom that organization successfully.”

According to Seifried, initial access can remain undetected because the systems that go unpatched belong to organizations with limited or no security budgets, so additional controls such as monitoring and response are often weak, or simply don’t exist.

While IABs are a serious component of modern cyberattacks, they don’t increase the attack aftermath. They make life easier for ransomware groups and script kiddies who pay for turnkey solutions such as Ransomware-as-a-Service (RaaS).

According to Seifried, the existence of IABs shows a maturing ecosystem with markets for initial access; ransomware groups want to use ransomware, they do want to not spend time breaking into companies’ networks.

David Geer is a journalist who focuses on issues related to cybersecurity. He writes from Cleveland, OH, USA.

Join the Discussion (0)

Become a Member or Sign In to Post a Comment

The Latest from CACM

Shape the Future of Computing

ACM encourages its members to take a direct hand in shaping the future of the association. There are more ways than ever to get involved.

Get Involved

Communications of the ACM (CACM) is now a fully Open Access publication.

By opening CACM to the world, we hope to increase engagement among the broader computer science community and encourage non-members to discover the rich resources ACM has to offer.

Learn More