Ransomware groups are taking advantage of opportunities to purchase network access on dark web forums to quickly compromise networks across a variety of industries and unleash their disabling malware. Network Access Sellers’ expertise lies in the ability to gain corporate and government network access, which they then sell to other cyber-crime groups for a handsome profit. These cyber-crime groups can use purchased network access to slash the typical difficult requirement of gaining initial access, establishing persistence, and moving laterally across a network.

What is a network access seller? 

Network Access Sellers typically develop an initial network vulnerability and infiltrate the victim network to gain complete corporate network access. Once that access is gained, the network access sellers sell it on dark web forums, usually for anywhere between US$300 and US$10,000, depending on the size and revenue of the victim.

The majority of network access offerings are advertised on underground forums with some or all of the following information:

  • Generalized victim industry information (for example private corporation, medical institution, governmental agency, educational etc)
  • Country the victim operates in
  • Type of access for sale (for example “VPN”, “Citrix”, “RDP”)
  • Number of machines on the network
  • Additional company information (for example number of employees, and revenue)

The amount of information provided can occasionally lead to the identification of the victim.

Network access sales are highly profitable

Accenture CTI assesses that the network access market has been driven by the increased diversity of ways that data can be monetized. Previously, cyber criminals wishing to make a profit on underground forums primarily targeted financial data due to its ease of monetization. However, the Nikolay threat-group (aka Fxmsp) popularized selling network accesses beginning in 2018 by proving there was a large demand for their service and that regular sales could be highly profitable[1]. Although financial data remains central to underground economies, sensitive Personally Identifiable Information (PII) and company data, or the promise of access to this data, is profitable because this data can be further monetized through direct sale or by holding it ransom.

A destructive overlap with ransomware gangs

Since the start of 2020 and the emergence of the now-popular ‘ransomware with data theft and extortion’ tactics, ransomware gangs have successfully utilized dark web platforms to outsource complicated aspects of a network compromise. A successful ransomware attack hinges on the development and maintenance of stable network access which comes with a higher risk of detection and requires time and effort. Access sellers fill this niche market for ransomware groups.

As of September 2020, we actively track more than 25 persistent Network Access Sellers as well as the occasional one-off seller, with more entering the scene on a weekly basis. Network Access Sellers operate on the same forums as actors associated with the ransomware gangs Maze, Lockbit, Avaddon, Exorcist, NetWalker, Sodinokibi, and others.

We assess with high confidence that this ecosystem will continue to thrive, so long as reputable, invite-only dark web forums provide the platform on which network access sellers and ransomware gangs can securely exchange goods and services.

The evolving threatscape

Tracking network access sellers across different platforms has allowed us to observe evolving trends:

  • An increasing number of actors, spearheaded by prolific access seller ellis.J.douglas, are cataloguing breached companies by industry, country, access-level, price, and other factors and advertising them on a single thread, allowing for a streamlined purchasing process for potential buyers (see Exhibit 1). This ensures that network access buyers do not have to monitor multiple threads across several platforms and allows for easier identification of access availability to a specific desired industry.

<<< Start >>>

Exhibit 1: Post on a dark web forum by network access seller ellis.J.douglas

<<< End >>>

  • While compromised Remote Desktop Protocol (RDP) connections remain the most common attack vector used by threat actors to gain access to corporate networks, Network Access Sellers have increasingly mentioned compromised Citrix and Pulse Secure VPN clients in their advertisements. We assess that Network Access Sellers are taking advantage of remote working tools as more of the workforce works from home as a result of the Covid-19 pandemic.
  • Network Access Sellers are beginning to utilize zero-day exploits (exploits developed targeting unpatched vulnerabilities) to compromise networks and sell the access rather than selling the zero day exploit itself. For example, in July, the threat actor Frankknox advertised the sale of a self-developed Zero-day targeting a well-known brand of mail server for $250,000 USD for which multiple offers were received. However, Frankknox aborted the sale and began exploiting the vulnerability to gain corporate network access to multiple victims, each of which could be individually sold. As of September 4, 2020, Frankknox has marketed access to 36 corporations for between US$2,000 and US$20,000, of which at least 11 they claim to have sold.
  • Several threat actors have claimed they are developing Cerberus from a mobile-banking trojan to a network access tool after the source-code was released for free by its creator – ANDROID - to dark-web forums in August 2020. We are currently tracking four actors wishing to evolve Cerberus but there are undoubtedly more working on the source-code. We assess it is likely that the Cerberus source-code will be utilized by Network Access Sellers and ransomware groups to attempt corporate network access in the future.
Outlook favours this destructive duo

Network access selling has progressed from a niche underground offering throughout 2017 to a central pillar of criminal underground activity in 2020. Although it is difficult to prove that an advertised network access is linked to a specific ransomware attack, from analysis of threat actor activity we assess with high confidence that some of the accesses are being purchased by ransomware groups and affiliates, thereby enabling potentially devastating ransomware attacks on corporate entities.

While compromised RDP connections remain the primary initial entry vector used by Network Access Sellers, these actors are increasingly diversifying their methods which poses a threat to current mitigation efforts, and substantially expands a corporation's exploitable attack surface.

We assess with high confidence that the relationship between initial access broker and ransomware group will continue to thrive in 2020 and beyond, earning the threat actors behind it huge profits. This symbiotic relationship facilitates continuous targeting of government and corporate entities and streamlines the network compromise process, allowing cyber criminals to act quicker and more efficiently.

Mitigation

Industry-wide action is necessary to disrupt this new, highly destructive ecosystem. To help reduce the risk of network compromise and ransomware attacks, businesses are advised to adhere to the following steps, where appropriate:

  • Establish a proactive dark web hunting and monitoring capability to determine your organization’s risk profile and identify potential threats.
  • Regularly back up data, test the backups, and ensure the backups are not connected to their corresponding networks and computers.
  • Employ best practices for using remote desktop protocol (RDP) such as auditing the network for systems using RDP, closing unused RDP ports, applying two-factor authentication wherever possible, and logging RDP logon attempts. Ensuring employees receive awareness training to decrease their vulnerability to targeted attacks.
  • Set anti-virus and anti-malware solutions to automatically update and conduct regular scans.
  • Formulate robust Incident Response plans, Business Continuity Plans and Disaster Recovery Plans, and simulate a media response to a successful attack if appropriate.
  • Incorporate response plans for malware or wiper attacks into the organization's continuity of operations plan.
  • Check network logs for indicators related to known ransomware.
  • Train users to identify and safely handle social engineering emails that could be part of a phishing campaign.

 

Accenture Security

Accenture Security is a leading provider of end-to-end cybersecurity services, including advanced cyber defense, applied cybersecurity solutions and managed security operations. We bring security innovation, coupled with global scale and a worldwide delivery capability through our network of Advanced Technology and Intelligent Operations centers. Helped by our team of highly skilled professionals, we enable clients to innovate safely, build cyber resilience and grow with confidence. Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security.

 ___

[1] https://threatpost.com/notorious-hacker-fxmsp-outed/157275/

Paul Mansfield

Cyber Threat Intelligence Analyst


Thomas “Mannie” Willkan

Security Delivery Senior Analyst

Subscribe to Accenture's Cyber Defense Blog Subscribe to Accenture's Cyber Defense Blog