Initial Access Brokers Fueling Cybercrime Ecosystem

Severity: High (Score: 66.5)

Sources: Computing, flare.io

Summary

Initial access brokers (IABs) are specialized cybercriminals who gain unauthorized access to corporate networks and sell that access to other threat actors. They exploit vulnerabilities in systems, such as VPNs and RDP, and use methods like phishing to compromise organizations. Once access is obtained, IABs list it for sale on dark web forums, with prices ranging from $500 to $50,000 depending on the target's size and access quality. This commodification of network access has accelerated ransomware attacks and made the cybercrime ecosystem more efficient. IABs are not necessarily inexperienced; they often have specialized skills and maintain reputations on forums. The relationship between IABs and ransomware groups has become formalized, with some groups integrating IAB capabilities in-house. Monitoring IAB listings is critical for threat intelligence teams to prevent potential breaches. Key Points: • Initial access brokers specialize in gaining and selling unauthorized access to networks. • Access prices vary significantly, with high-value targets costing tens of thousands. • IABs play a crucial role in the ransomware ecosystem, enabling faster and more efficient attacks.

Key Entities

• Brute Force (attack_type)
• Data Breach (attack_type)
• Phishing (attack_type)
• Ransomware (attack_type)
• T1021 - Remote Services (mitre_attack)
• T1041 - Exfiltration Over C2 Channel (mitre_attack)
• T1068 - Exploitation for Privilege Escalation (mitre_attack)
• T1078 - Valid Accounts (mitre_attack)
• T1110 - Brute Force (mitre_attack)
• Active Directory (platform)
• Citrix (company)
• Lockbit (ransomware_group)