Darkweb market packed with offers to purchase access to corporate networks

Access for Sale

"Access for sale" on the darkweb is a generic term, referring to software, exploits, credentials, or anything else that allows illicitly controlling one or more remote computers. Successfully hacking a website, web server, database, or workstation means that the attacker has access. This access can be transferred or sold to third parties, just like house keys. But for our purposes here, we will only cover access to servers and workstations. Growing market Only one or two years back, criminals seemed to be more interested in individual servers. Access to them was sold on the darkweb for up to $20 a pop. However, starting in the second half of 2019, we have seen an increasing number of postings on hacker marketplaces2 advertising access to local corporate networks

Some buyers offer lucrative terms and an ongoing relationship. For example, they may pay out a commission of up to 30 percent of the potential profit for a hack of the infrastructure of a company with annual income exceeding $500 million.

Demand creates supply:

At the end of 2019, over 50 accesses to the networks of major companies from all over the world were publicly available for sale. Among the victims were some rather large companies, with annual income running into the hundreds of millions or even billions of dollars. 

In the U.S., criminals mostly sell access to service sector companies (20%), industrial companies (18%), and government institutions (14%). In Italy, the order was reversed: industrial companies (25%) are followed by service sector companies (17%). In the United Kingdom, the service sector accounts for 33 percent, science and education for 25 percent, and finance for 17 percent. Government institutions (20%) and healthcare (10%) lead in Brazil. In Germany, IT and services each account for 29 percent of accesses for sale. In number six position is Australia, for which most offers involve access to government or science and education. However, by their nature these statistics give a limited picture: in 17 percent of cases, the sellers do not indicate any country in their posts. Many sellers may not advertise their wares at all. In general, the asking price is in the range of $500 to $100,000. The average cost of privileged access to a single local network is on the order of $5,000. 

Ransomware affiliate programs

In the past, middling hackers had a hard time monetizing attacks: they did not have the skills to pursue an attack to the point of obtaining a payoff or valuable data. But with the current market demand, they can make a steady income by selling to other criminals. Buyers can then develop an attack on business systems or hire a team of more skilled hackers who can quickly obtain domain administrator privileges and infect critical servers with malware.

The first ones to use this scheme were ransomware operators, who bought access for a fixed price from one set of criminals and then hired other criminals to infect local networks with malware in return for a large percentage of the victim's ransom. On darkweb forums, this setup is known as a "ransomware affiliate program."

Consequences for companies

Large companies stand to become a source of easy money for low-skilled hackers. External attacks on corporate infrastructures will increase significantly. This issue is especially acute now that so many employees are working from home. Hackers will look for any and all security lapses on the network perimeter, such as an unprotected web application, non-updated software, or incorrectly configured server with a weak administrator password. The larger the hacked company is, and the higher the obtained privileges, the more profitable the attack becomes. Small and medium-sized companies are commonly believed to be at greater risk from script kiddies3 due to smaller investments in network security. Being able to spend more, large companies should be better protected. But penetration tests by our experts prove that even the largest companies are vulnerable. Our testers find easy ways to penetrate local networks that do not require particular skill on the part of potential attackers. All the same, small and medium-sized companies have less money available to put into security and, therefore, are at even greater risk. Companies should ensure comprehensive infrastructure protection, both on the network perimeter and within the local network. Make sure that all services on the perimeter are protected and security events on the local network are properly monitored to detect intruders in time. Regular retrospective analysis of security events allows discovering previously undetected attacks and addressing threats before criminals can steal data or disrupt business processes

Read the blog post and background research here