A recent discovery of three separate threat groups using the same infrastructure to carry out a range of malicious activity has focused fresh attention on the growing role of so-called initial access brokers (IABs) in the underground cybercrime economy.
IABs are threat groups that typically break into a target network and then sell access to that network to the highest bidder in Dark Web markets. In some instances, they might simply facilitate the sale of access to a compromised network by providing middleman services.
Security experts consider such operators as a growing threat because they allow cybercriminals —of almost any caliber — to get on a network quickly and with little effort of their own. Just like IaaS providers allow legitimate organizations to scale operations relatively easily, IABs are giving threat actors the ability to steal data, deploy ransomware, and distribute malware without having to worry about reconnaissance and initial intrusion activity.
“[The business model] resembles a relationship that a legitimate business organization would call ‘channel partners’,” says Eric Milam, vice president of research and intelligence at BlackBerry, which recently discovered one such IAB that it is now tracking as Zebra2104. “It has been said before how much cybercrime organizations often operate like regular businesses. This is another facet of the legitimate business world that they have adopted, simply because it works so well.”
BlackBerry security analysts stumbled on Zebra2104’s operation recently when conducting research for a book. The company’s researchers observed a domain that they had encountered in a previous threat hunt and decided to investigate further.
The effort showed that two ransomware groups — MountLocker and Phobos — and another cyber-espionage-motivated advanced persistent threat group called StrongPity had separately used the same infrastructure in their campaigns at various points. Telemetry that BlackBerry’s researchers unearthed and analyzed showed that Zebra2104 had provided the initial access into victim environments to each threat group.
“The threat groups used the infrastructure in differing ways,” Milam says. The operators of Mount Locker and Phobos used the infrastructure that Zebra2104 provided to deploy Cobalt Strike Beacons and their namesake ransomware for financial gain. The StrongPity gang, meanwhile, deployed its own namesake malware primarily to steal data.
“To the best of our knowledge, the threat groups did not use the compromised networks at the same time, as this would not make sense from a logistical standpoint,” Milam says.
BlackBerry researchers were not able to determine how the three disparate threat groups managed to conceal their campaigns from the victim organizations. It’s also unclear if Zebra2104 gained access to the compromised environment itself or if it was a middleman between parties. If it had indeed been the one to break into the environment, the initial access could have happened in any of multiple ways, including via spear-phishing, compromised or weak passwords, vulnerability exploits, or a malicious insider.
One thing that BlackBerry researchers discovered was that the infrastructure to which Zebra2014 was selling access has strong ties to a malicious spam campaign that Microsoft reported
earlier this year. “It is likely that this is a key factor in gaining initial access, as phishing represents one of the largest initial infection vectors for threat actors today,” Milam says.
Digital Shadows, which has been tracking IABs since 2016, earlier this year reported
an increase in the use of IABs among cybercriminals. The company attributed the growing popularity to the sharp increase in relatively weakly protected remote access networks and virtual private networks since the COVID-19 pandemic forced a shift to a more distributed work environment.
Digital Shadows found that IABs most frequently offered compromised Remote Desktop Protocol (RDP) systems and VPNs as initial access points for their customers. In the third quarter of 2021, the average price that IABs charged for access to a compromised VPN was $1,869 — up from $1,446 previously. For RDP systems, the average price was $1,902. IABs most frequently provided access to networks belonging to organizations in the retail, technology, and industrial goods and services sectors.
“Initial access brokers have become a mainstay of cybercriminal activity, and this has coincided with the trend of global cybercrime becoming more streamlined and efficient,” says Chris Morgan, threat intelligence analyst at Digital Shadows. He predicts that IAB levels observed in the third quarter of this year will likely either continue or increase into fourth quarter and into 2022.
Morgan says the type of threat actors purchasing IAB listings are diverse, but the biggest users are ransomware groups. “The majority of IAB listings will likely only provide access to a subset of systems and servers” on a victim network, he says. However, buyers almost always will get a consistent and stable access point into the target’s network, in which the actor can then establish persistence and move laterally.
“The listing will be highly dependent on a number of factors, which include the targeted company’s architectural design and security principles in use — including network segmentation and access management,” Morgan notes.
The prices that IABs charge are influenced by several factors, including an organization’s size and the type of information that could be accessed from its network. In some cases, prices are tied to the annual revenue of a company — the higher the revenue, the higher the initial access cost.
“For VPN and RDP,” Morgan says, “the IAB will typically sell a credential pairing of a username and password, along with a specific IP port.”